diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index 747622db6..a54d28288 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -1,497 +1,505 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="show">
<properties>
<help>Show system information</help>
</properties>
<children>
<tagNode name="log">
<properties>
<help>Show last number of messages in master logging buffer</help>
<completionHelp>
<list><1-9999></list>
</completionHelp>
</properties>
<command>if ${vyos_validators_dir}/numeric --range 1-9999 "$3"; then journalctl --no-hostname --boot --lines "$3"; fi</command>
</tagNode>
<node name="log">
<properties>
<help>Show contents of current master logging buffer</help>
</properties>
<command>journalctl --no-hostname --boot</command>
<children>
<leafNode name="audit">
<properties>
<help>Show audit logs</help>
</properties>
<command>cat /var/log/audit/audit.log</command>
</leafNode>
<leafNode name="all">
<properties>
<help>Show contents of all master log files</help>
</properties>
<command>sudo bash -c 'eval $(lesspipe); less $_vyatta_less_options --prompt=".logm, file %i of %m., page %dt of %D" -- `printf "%s\n" /var/log/messages* | sort -nr`'</command>
</leafNode>
<leafNode name="authorization">
<properties>
<help>Show listing of authorization attempts</help>
</properties>
<command>journalctl --no-hostname --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4</command>
</leafNode>
<leafNode name="cluster">
<properties>
<help>Show log for Cluster</help>
</properties>
<command>cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e heartbeat -e cl_status -e mach_down -e ha_log</command>
</leafNode>
<leafNode name="conntrack-sync">
<properties>
<help>Show log for Conntrack-sync</help>
</properties>
<command>journalctl --no-hostname --boot --unit conntrackd.service</command>
</leafNode>
<leafNode name="console-server">
<properties>
<help>Show log for console server</help>
</properties>
<command>journalctl --no-hostname --boot --unit conserver-server.service</command>
</leafNode>
<node name="ids">
<properties>
<help>Show log for for Intrusion Detection System</help>
</properties>
<children>
<leafNode name="ddos-protection">
<properties>
<help>Show log for DDOS protection</help>
</properties>
<command>journalctl --no-hostname --boot --unit fastnetmon.service</command>
</leafNode>
</children>
</node>
<node name="dhcp">
<properties>
<help>Show log for Dynamic Host Control Protocol (DHCP)</help>
</properties>
<children>
<node name="server">
<properties>
<help>Show log for DHCP server</help>
</properties>
<command>journalctl --no-hostname --boot --unit isc-dhcp-server.service</command>
</node>
<node name="client">
<properties>
<help>Show DHCP client logs</help>
</properties>
<command>journalctl --no-hostname --boot --unit "dhclient@*.service"</command>
<children>
<tagNode name="interface">
<properties>
<help>Show DHCP client log on specific interface</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces --broadcast</script>
</completionHelp>
</properties>
<command>journalctl --no-hostname --boot --unit "dhclient@$6.service"</command>
</tagNode>
</children>
</node>
</children>
</node>
<node name="dhcpv6">
<properties>
<help>Show log for Dynamic Host Control Protocol IPv6 (DHCPv6)</help>
</properties>
<children>
<node name="server">
<properties>
<help>Show log for DHCPv6 server</help>
</properties>
<command>journalctl --no-hostname --boot --unit isc-dhcp-server6.service</command>
</node>
<node name="client">
<properties>
<help>Show DHCPv6 client logs</help>
</properties>
<command>journalctl --no-hostname --boot --unit "dhcp6c@*.service"</command>
<children>
<tagNode name="interface">
<properties>
<help>Show DHCPv6 client log on specific interface</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
<command>journalctl --no-hostname --boot --unit "dhcp6c@$6.service"</command>
</tagNode>
</children>
</node>
</children>
</node>
<node name="firewall">
<properties>
<help>Show log for Firewall</help>
</properties>
<children>
<tagNode name="ipv6-name">
<properties>
<help>Show log for a specified firewall (IPv6)</help>
<completionHelp>
<path>firewall ipv6-name</path>
</completionHelp>
</properties>
<command>cat $(printf "%s\n" /var/log/messages* | sort -nr ) | egrep "\[$5-([0-9]+|default)-[ADR]\]"</command>
<children>
<tagNode name="rule">
<properties>
<help>Show log for a rule in the specified firewall</help>
<completionHelp>
<path>firewall ipv6-name ${COMP_WORDS[4]} rule</path>
</completionHelp>
</properties>
<command>cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e "\[$5-$7-[ADR]\]"</command>
</tagNode>
</children>
</tagNode>
<tagNode name="name">
<properties>
<help>Show log for a specified firewall (IPv4)</help>
<completionHelp>
<path>firewall name</path>
</completionHelp>
</properties>
<command>cat $(printf "%s\n" /var/log/messages* | sort -nr ) | egrep "\[$5-([0-9]+|default)-[ADR]\]"</command>
<children>
<tagNode name="rule">
<properties>
<help>Show log for a rule in the specified firewall</help>
<completionHelp>
<path>firewall name ${COMP_WORDS[4]} rule</path>
</completionHelp>
</properties>
<command>cat $(printf "%s\n" /var/log/messages* | sort -nr) | egrep "\[$5-$7-[ADR]\]"</command>
</tagNode>
</children>
</tagNode>
</children>
</node>
<leafNode name="flow-accounting">
<properties>
<help>Show log for flow-accounting</help>
</properties>
<command>journalctl --no-hostname --boot --unit uacctd.service</command>
</leafNode>
<leafNode name="https">
<properties>
<help>Show log for HTTPs</help>
</properties>
<command>journalctl --no-hostname --boot --unit nginx.service</command>
</leafNode>
<tagNode name="image">
<properties>
<help>Show contents of master log file for image</help>
<completionHelp>
<script>compgen -f /lib/live/mount/persistence/boot/ | grep -v grub | sed -e s@/lib/live/mount/persistence/boot/@@</script>
</completionHelp>
</properties>
<command>less $_vyatta_less_options --prompt=".log, page %dt of %D" -- /lib/live/mount/persistence/boot/$4/rw/var/log/messages</command>
<children>
<leafNode name="all">
<properties>
<help>Show contents of all master log files for image</help>
</properties>
<command>eval $(lesspipe); less $_vyatta_less_options --prompt=".log?m, file %i of %m., page %dt of %D" -- `printf "%s\n" /lib/live/mount/persistence/boot/$4/rw/var/log/messages* | sort -nr`</command>
</leafNode>
<leafNode name="authorization">
<properties>
<help>Show listing of authorization attempts for image</help>
</properties>
<command>less $_vyatta_less_options --prompt=".log, page %dt of %D" -- /lib/live/mount/persistence/boot/$4/rw/var/log/auth.log</command>
</leafNode>
<tagNode name="tail">
<properties>
<help>Show last changes to messages</help>
<completionHelp>
<list><NUMBER></list>
</completionHelp>
</properties>
<command>tail -n "$6" /lib/live/mount/persistence/boot/$4/rw/var/log/messages | ${VYATTA_PAGER:-cat}</command>
</tagNode>
</children>
</tagNode>
<leafNode name="ipoe-server">
<properties>
<help>Show log for IPoE server</help>
</properties>
<command>journalctl --no-hostname --boot --unit accel-ppp@ipoe.service</command>
</leafNode>
<leafNode name="kernel">
<properties>
<help>Show log for Linux Kernel</help>
</properties>
<command>journalctl --no-hostname --boot --dmesg</command>
</leafNode>
<leafNode name="lldp">
<properties>
<help>Show log for Link Layer Discovery Protocol (LLDP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit lldpd.service</command>
</leafNode>
<leafNode name="nat">
<properties>
<help>Show log for Network Address Translation (NAT)</help>
</properties>
<command>egrep -i "kernel:.*\[NAT-[A-Z]{3,}-[0-9]+(-MASQ)?\]" $(find /var/log -maxdepth 1 -type f -name messages\* | sort -t. -k2nr)</command>
</leafNode>
<leafNode name="nhrp">
<properties>
<help>Show log for Next Hop Resolution Protocol (NHRP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit opennhrp.service</command>
</leafNode>
<leafNode name="ntp">
<properties>
<help>Show log for Network Time Protocol (NTP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit chrony.service</command>
</leafNode>
<node name="macsec">
<properties>
<help>Show log for MACsec</help>
</properties>
<command>journalctl --no-hostname --boot --unit "wpa_supplicant-macsec@*.service"</command>
<children>
<tagNode name="interface">
<properties>
<help>Show MACsec log on specific interface</help>
<completionHelp>
<path>interfaces macsec</path>
</completionHelp>
</properties>
<command>SRC=$(cli-shell-api returnValue interfaces macsec "$5" source-interface); journalctl --no-hostname --boot --unit "wpa_supplicant-macsec@$SRC.service"</command>
</tagNode>
</children>
</node>
<node name="openvpn">
<properties>
<help>Show log for OpenVPN</help>
</properties>
<command>journalctl --no-hostname --boot --unit openvpn@*.service</command>
<children>
<tagNode name="interface">
<properties>
<help>Show OpenVPN log on specific interface</help>
<completionHelp>
<path>interfaces openvpn</path>
</completionHelp>
</properties>
<command>journalctl --no-hostname --boot --unit openvpn@$5.service</command>
</tagNode>
</children>
</node>
<node name="pppoe">
<properties>
<help>Show log for PPPoE interface</help>
</properties>
<command>journalctl --no-hostname --boot --unit "ppp@pppoe*.service"</command>
<children>
<tagNode name="interface">
<properties>
<help>Show PPPoE log on specific interface</help>
<completionHelp>
<path>interfaces pppoe</path>
</completionHelp>
</properties>
<command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command>
</tagNode>
</children>
</node>
<leafNode name="pppoe-server">
<properties>
<help>Show log for PPPoE server</help>
</properties>
<command>journalctl --no-hostname --boot --unit accel-ppp@pppoe.service</command>
</leafNode>
<node name="protocol">
<properties>
<help>Show log for Routing Protocol</help>
</properties>
<children>
<leafNode name="ospf">
<properties>
<help>Show log for OSPF</help>
</properties>
<command>journalctl --boot /usr/lib/frr/ospfd</command>
</leafNode>
<leafNode name="ospfv3">
<properties>
<help>Show log for OSPF for IPv6</help>
</properties>
<command>journalctl --boot /usr/lib/frr/ospf6d</command>
</leafNode>
<leafNode name="bgp">
<properties>
<help>Show log for BGP</help>
</properties>
<command>journalctl --boot /usr/lib/frr/bgpd</command>
</leafNode>
<leafNode name="rip">
<properties>
<help>Show log for RIP</help>
</properties>
<command>journalctl --boot /usr/lib/frr/ripd</command>
</leafNode>
<leafNode name="ripng">
<properties>
<help>Show log for RIPng</help>
</properties>
<command>journalctl --boot /usr/lib/frr/ripngd</command>
</leafNode>
<leafNode name="static">
<properties>
<help>Show log for static route</help>
</properties>
<command>journalctl --boot /usr/lib/frr/staticd</command>
</leafNode>
<leafNode name="multicast">
<properties>
<help>Show log for Multicast protocol</help>
</properties>
<command>journalctl --boot /usr/lib/frr/pimd</command>
</leafNode>
<leafNode name="isis">
<properties>
<help>Show log for ISIS</help>
</properties>
<command>journalctl --boot /usr/lib/frr/isisd</command>
</leafNode>
<leafNode name="nhrp">
<properties>
<help>Show log for NHRP</help>
</properties>
<command>journalctl --boot /usr/lib/frr/nhrpd</command>
</leafNode>
<leafNode name="bfd">
<properties>
<help>Show log for BFD</help>
</properties>
<command>journalctl --boot /usr/lib/frr/bfdd</command>
</leafNode>
<leafNode name="mpls">
<properties>
<help>Show log for MPLS</help>
</properties>
<command>journalctl --boot /usr/lib/frr/ldpd</command>
</leafNode>
</children>
</node>
<leafNode name="router-advert">
<properties>
<help>Show log for Router Advertisement Daemon (radvd)</help>
</properties>
<command>journalctl --no-hostname --boot --unit radvd.service</command>
</leafNode>
<leafNode name="snmp">
<properties>
<help>Show log for Simple Network Monitoring Protocol (SNMP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit snmpd.service</command>
</leafNode>
- <leafNode name="ssh">
+ <node name="ssh">
<properties>
<help>Show log for Secure Shell (SSH)</help>
</properties>
<command>journalctl --no-hostname --boot --unit ssh.service</command>
- </leafNode>
+ <children>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Show dynamic-protection log</help>
+ </properties>
+ <command>journalctl --no-hostname -p info -t sshguard -o short</command>
+ </node>
+ </children>
+ </node>
<tagNode name="tail">
<properties>
<help>Show last n changes to messages</help>
<completionHelp>
<list><NUMBER></list>
</completionHelp>
</properties>
<command>tail -n "$4" /var/log/messages | ${VYATTA_PAGER:-cat}</command>
</tagNode>
<node name="tail">
<properties>
<help>Show last 10 lines of /var/log/messages file</help>
</properties>
<command>tail -n 10 /var/log/messages</command>
</node>
<leafNode name="vpn">
<properties>
<help>Monitor last lines of ALL Virtual Private Network services</help>
</properties>
<command>journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command>
</leafNode>
<leafNode name="ipsec">
<properties>
<help>Show log for IPsec</help>
</properties>
<command>journalctl --no-hostname --boot --unit strongswan.service</command>
</leafNode>
<leafNode name="l2tp">
<properties>
<help>Show log for L2TP</help>
</properties>
<command>journalctl --no-hostname --boot --unit accel-ppp@l2tp.service</command>
</leafNode>
<leafNode name="openconnect">
<properties>
<help>Show log for OpenConnect</help>
</properties>
<command>journalctl --no-hostname --boot --unit ocserv.service</command>
</leafNode>
<leafNode name="pptp">
<properties>
<help>Show log for PPTP</help>
</properties>
<command>journalctl --no-hostname --boot --unit accel-ppp@pptp.service</command>
</leafNode>
<leafNode name="sstp">
<properties>
<help>Show log for Secure Socket Tunneling Protocol (SSTP) server</help>
</properties>
<command>journalctl --no-hostname --boot --unit accel-ppp@sstp.service</command>
</leafNode>
<node name="sstpc">
<properties>
<help>Show log for Secure Socket Tunneling Protocol (SSTP) client</help>
</properties>
<command>journalctl --no-hostname --boot --unit "ppp@sstpc*.service"</command>
<children>
<tagNode name="interface">
<properties>
<help>Show SSTP client log on specific interface</help>
<completionHelp>
<path>interfaces sstpc</path>
</completionHelp>
</properties>
<command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command>
</tagNode>
</children>
</node>
<leafNode name="vpp">
<properties>
<help>Show log for Vector Packet Processor (VPP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit vpp.service</command>
</leafNode>
<leafNode name="vrrp">
<properties>
<help>Show log for Virtual Router Redundancy Protocol (VRRP)</help>
</properties>
<command>journalctl --no-hostname --boot --unit keepalived.service</command>
</leafNode>
<leafNode name="webproxy">
<properties>
<help>Show log for Webproxy</help>
</properties>
<command>journalctl --no-hostname --boot --unit squid.service</command>
</leafNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index 7b72739c4..88faecada 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -1,28 +1,34 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="show">
<children>
<node name="ssh">
<properties>
<help>Show SSH server information</help>
</properties>
<children>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Show SSH server dynamic-protection blocked attackers</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+ </node>
<node name="fingerprints">
<properties>
<help>Show SSH server public key fingerprints</help>
</properties>
<command>${vyos_op_scripts_dir}/ssh.py show_fingerprints</command>
<children>
<node name="ascii">
<properties>
<help>Show visual ASCII art representation of the public key</help>
</properties>
<command>${vyos_op_scripts_dir}/ssh.py show_fingerprints --ascii</command>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
index 4de9521b5..89db7b3d3 100755
--- a/src/op_mode/ssh.py
+++ b/src/op_mode/ssh.py
@@ -1,62 +1,100 @@
#!/usr/bin/env python3
#
# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+import json
import sys
import glob
import vyos.opmode
from vyos.utils.process import cmd
from vyos.configquery import ConfigTreeQuery
from tabulate import tabulate
def show_fingerprints(raw: bool, ascii: bool):
config = ConfigTreeQuery()
if not config.exists("service ssh"):
raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.")
publickeys = glob.glob("/etc/ssh/*.pub")
if publickeys:
keys = []
for keyfile in publickeys:
try:
if ascii:
keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines()
else:
keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines()
type = keydata[0].split(None)[-1].strip("()")
key_size = keydata[0].split(None)[0]
fingerprint = keydata[0].split(None)[1]
comment = keydata[0].split(None)[2:-1][0]
if ascii:
ascii_art = "\n".join(keydata[1:])
keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art})
else:
keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment})
except:
# Ignore invalid public keys
pass
if raw:
return keys
else:
headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"}
output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple")
return output
else:
if raw:
return []
else:
return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+ config = ConfigTreeQuery()
+ if not config.exists("service ssh dynamic-protection"):
+ raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+ attackers = []
+ try:
+ # IPv4
+ attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+ except:
+ pass
+ try:
+ # IPv6
+ attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+ except:
+ pass
+ if attackers:
+ if raw:
+ return attackers
+ else:
+ output = "Blocked attackers:\n" + "\n".join(attackers)
+ return output
+ else:
+ if raw:
+ return []
+ else:
+ return "No blocked attackers."
+
+if __name__ == '__main__':
+ try:
+ res = vyos.opmode.run(sys.modules[__name__])
+ if res:
+ print(res)
+ except (ValueError, vyos.opmode.Error) as e:
+ print(e)
+ sys.exit(1)