T6357: create test repository to validate setup

3 files changed, 141 insertions, 0 deletions

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
new file mode 100644
index 0000000..650fd25
--- /dev/null
+++ b/data/templates/ssh/sshd_config.j2
@@ -0,0 +1,107 @@
+### Autogenerated by service_ssh.py ###
+
+# https://linux.die.net/man/5/sshd_config
+
+#
+# Non-configurable defaults
+#
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+SyslogFacility AUTH
+LoginGraceTime 120
+StrictModes yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+HostbasedAuthentication no
+PermitEmptyPasswords no
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+Banner /etc/issue.net
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+PermitRootLogin no
+PidFile /run/sshd/sshd.pid
+AddressFamily any
+DebianBanner no
+KbdInteractiveAuthentication no
+
+#
+# User configurable section
+#
+
+# Look up remote host name and check that the resolved host name for the remote IP
+# address maps back to the very same IP address.
+UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }}
+
+# Specifies the port number that sshd(8) listens on
+{% for value in port %}
+Port {{ value }}
+{% endfor %}
+
+# Gives the verbosity level that is used when logging messages from sshd
+LogLevel {{ loglevel | upper }}
+
+# Specifies whether password authentication is allowed
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+
+{% if listen_address is vyos_defined %}
+# Specifies the local addresses sshd should listen on
+{%     for address in listen_address %}
+ListenAddress {{ address }}
+{%     endfor %}
+{% endif %}
+
+{% if ciphers is vyos_defined %}
+# Specifies the ciphers allowed for protocol version 2
+Ciphers {{ ciphers | join(',') }}
+{% endif %}
+
+{% if hostkey_algorithm is vyos_defined %}
+# Specifies the available Host Key signature algorithms
+HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
+{% endif %}
+
+{% if mac is vyos_defined %}
+# Specifies the available MAC (message authentication code) algorithms
+MACs {{ mac | join(',') }}
+{% endif %}
+
+{% if key_exchange is vyos_defined %}
+# Specifies the available Key Exchange algorithms
+KexAlgorithms {{ key_exchange | join(',') }}
+{% endif %}
+
+{% if access_control is vyos_defined %}
+{%     if access_control.allow.user is vyos_defined %}
+# If specified, login is allowed only for user names that match
+AllowUsers {{ access_control.allow.user | join(' ') }}
+{%     endif %}
+{%     if access_control.allow.group is vyos_defined %}
+# If specified, login is allowed only for users whose primary group or supplementary group list matches
+AllowGroups {{ access_control.allow.group | join(' ') }}
+{%     endif %}
+{%     if access_control.deny.user is vyos_defined %}
+# Login is disallowed for user names that match
+DenyUsers {{ access_control.deny.user | join(' ') }}
+{%     endif %}
+{%     if access_control.deny.group is vyos_defined %}
+# Login is disallowed for users whose primary group or supplementary group list matches
+DenyGroups {{ access_control.deny.group | join(' ') }}
+{%     endif %}
+{% endif %}
+
+{% if client_keepalive_interval is vyos_defined %}
+# Sets a timeout interval in seconds after which if no data has been received from the client,
+# sshd(8) will send a message through the encrypted channel to request a response from the client
+ClientAliveInterval {{ client_keepalive_interval }}
+{% endif %}
+
+{% if rekey.data is vyos_defined  %}
+RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
+{% endif %}
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
new file mode 100644
index 0000000..2e75074
--- /dev/null
+++ b/data/templates/ssh/sshguard_config.j2
@@ -0,0 +1,27 @@
+### Autogenerated by service_ssh.py ###
+
+{% if dynamic_protection is vyos_defined %}
+# Full path to backend executable (required, no default)
+BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD={{ dynamic_protection.threshold }}
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME={{ dynamic_protection.block_time }}
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME={{ dynamic_protection.detect_time }}
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+WHITELIST_FILE=/etc/sshguard/whitelist
+{% endif %}
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
new file mode 100644
index 0000000..194fa29
--- /dev/null
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -0,0 +1,7 @@
+### Autogenerated by service_ssh.py ###
+
+{% if dynamic_protection.allow_from is vyos_defined %}
+{%     for address in dynamic_protection.allow_from %}
+{{ address }}
+{%     endfor %}
+{% endif %}