From e3f6196ffc904b6bfe349bac6dfb396c17535494 Mon Sep 17 00:00:00 2001 From: JeffWDH Date: Sat, 28 Oct 2023 09:42:07 -0400 Subject: T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection --- src/op_mode/ssh.py | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'src/op_mode/ssh.py') diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py index 4de9521b5..89db7b3d3 100755 --- a/src/op_mode/ssh.py +++ b/src/op_mode/ssh.py @@ -15,6 +15,7 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see . +import json import sys import glob import vyos.opmode @@ -60,3 +61,40 @@ def show_fingerprints(raw: bool, ascii: bool): return [] else: return "No SSH server public keys are found." + +def show_dynamic_protection(raw: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh dynamic-protection"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + + attackers = [] + try: + # IPv4 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + try: + # IPv6 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + if attackers: + if raw: + return attackers + else: + output = "Blocked attackers:\n" + "\n".join(attackers) + return output + else: + if raw: + return [] + else: + return "No blocked attackers." + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From b34b1992a65e519af0aed5ad43b1d60e6d1f7af5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 29 Oct 2023 08:08:02 +0100 Subject: op-mode: T5661: remove call to sudo in ssh.py and move it to XML definition Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it. (cherry picked from commit 428dee29d36cc3629990ec41afef887821886834) --- op-mode-definitions/show-ssh.xml.in | 2 +- src/op_mode/ssh.py | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/op_mode/ssh.py') diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in index 88faecada..ca8e669b3 100644 --- a/op-mode-definitions/show-ssh.xml.in +++ b/op-mode-definitions/show-ssh.xml.in @@ -11,7 +11,7 @@ Show SSH server dynamic-protection blocked attackers - ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection + sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py index 89db7b3d3..acb066144 100755 --- a/src/op_mode/ssh.py +++ b/src/op_mode/ssh.py @@ -64,18 +64,18 @@ def show_fingerprints(raw: bool, ascii: bool): def show_dynamic_protection(raw: bool): config = ConfigTreeQuery() - if not config.exists("service ssh dynamic-protection"): + if not config.exists(['service', 'ssh', 'dynamic-protection']): raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") attackers = [] try: # IPv4 - attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] except: pass try: # IPv6 - attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] except: pass if attackers: -- cgit v1.2.3