package service import ( "fmt" "net" "os" "os/user" "path" "path/filepath" "sort" "strings" "time" "github.com/1Panel-dev/1Panel/backend/app/dto" "github.com/1Panel-dev/1Panel/backend/constant" "github.com/1Panel-dev/1Panel/backend/utils/cmd" "github.com/1Panel-dev/1Panel/backend/utils/common" "github.com/1Panel-dev/1Panel/backend/utils/files" ) const sshPath = "/etc/ssh/sshd_config" type SSHService struct{} type ISSHService interface { GetSSHInfo() (*dto.SSHInfo, error) UpdateByFile(value string) error Update(key, value string) error GenerateSSH(req dto.GenerateSSH) error LoadSSHSecret(mode string) (string, error) LoadLog(req dto.SearchSSHLog) (*dto.SSHLog, error) } func NewISSHService() ISSHService { return &SSHService{} } func (u *SSHService) GetSSHInfo() (*dto.SSHInfo, error) { data := dto.SSHInfo{ Port: "22", ListenAddress: "0.0.0.0", PasswordAuthentication: "yes", PubkeyAuthentication: "yes", PermitRootLogin: "yes", UseDNS: "yes", } sshConf, err := os.ReadFile(sshPath) if err != nil { return &data, err } lines := strings.Split(string(sshConf), "\n") for _, line := range lines { if strings.HasPrefix(line, "Port ") { data.Port = strings.ReplaceAll(line, "Port ", "") } if strings.HasPrefix(line, "ListenAddress ") { data.ListenAddress = strings.ReplaceAll(line, "ListenAddress ", "") } if strings.HasPrefix(line, "PasswordAuthentication ") { data.PasswordAuthentication = strings.ReplaceAll(line, "PasswordAuthentication ", "") } if strings.HasPrefix(line, "PubkeyAuthentication ") { data.PubkeyAuthentication = strings.ReplaceAll(line, "PubkeyAuthentication ", "") } if strings.HasPrefix(line, "PermitRootLogin ") { data.PermitRootLogin = strings.ReplaceAll(line, "PermitRootLogin ", "") } if strings.HasPrefix(line, "UseDNS ") { data.UseDNS = strings.ReplaceAll(line, "UseDNS ", "") } } return &data, err } func (u *SSHService) Update(key, value string) error { sshConf, err := os.ReadFile(sshPath) if err != nil { return err } lines := strings.Split(string(sshConf), "\n") newFiles := updateSSHConf(lines, key, value) if err := settingRepo.Update(key, value); err != nil { return err } file, err := os.OpenFile(sshPath, os.O_WRONLY|os.O_TRUNC, 0666) if err != nil { return err } defer file.Close() if _, err = file.WriteString(strings.Join(newFiles, "\n")); err != nil { return err } sudo := "" hasSudo := cmd.HasNoPasswordSudo() if hasSudo { sudo = "sudo" } if key == "Port" { stdout, _ := cmd.Exec("getenforce") if stdout == "Enforcing\n" { _, _ = cmd.Execf("%s semanage port -a -t ssh_port_t -p tcp %s", sudo, value) } } _, _ = cmd.Execf("%s systemctl restart sshd", sudo) return nil } func (u *SSHService) UpdateByFile(value string) error { file, err := os.OpenFile(sshPath, os.O_WRONLY|os.O_TRUNC, 0666) if err != nil { return err } defer file.Close() if _, err = file.WriteString(value); err != nil { return err } sudo := "" hasSudo := cmd.HasNoPasswordSudo() if hasSudo { sudo = "sudo" } _, _ = cmd.Execf("%s systemctl restart sshd", sudo) return nil } func (u *SSHService) GenerateSSH(req dto.GenerateSSH) error { currentUser, err := user.Current() if err != nil { return fmt.Errorf("load current user failed, err: %v", err) } secretFile := fmt.Sprintf("%s/.ssh/id_item_%s", currentUser.HomeDir, req.EncryptionMode) secretPubFile := fmt.Sprintf("%s/.ssh/id_item_%s.pub", currentUser.HomeDir, req.EncryptionMode) authFile := currentUser.HomeDir + "/.ssh/authorized_keys" command := fmt.Sprintf("ssh-keygen -t %s -f %s/.ssh/id_item_%s | echo y", req.EncryptionMode, currentUser.HomeDir, req.EncryptionMode) if len(req.Password) != 0 { command = fmt.Sprintf("ssh-keygen -t %s -P %s -f %s/.ssh/id_item_%s | echo y", req.EncryptionMode, req.Password, currentUser.HomeDir, req.EncryptionMode) } stdout, err := cmd.Exec(command) if err != nil { return fmt.Errorf("generate failed, err: %v, message: %s", err, stdout) } defer func() { _ = os.Remove(secretFile) }() defer func() { _ = os.Remove(secretPubFile) }() if _, err := os.Stat(authFile); err != nil { _, _ = os.Create(authFile) } stdout1, err := cmd.Execf("cat %s >> %s/.ssh/authorized_keys", secretPubFile, currentUser.HomeDir) if err != nil { return fmt.Errorf("generate failed, err: %v, message: %s", err, stdout1) } fileOp := files.NewFileOp() if err := fileOp.Rename(secretFile, fmt.Sprintf("%s/.ssh/id_%s", currentUser.HomeDir, req.EncryptionMode)); err != nil { return err } if err := fileOp.Rename(secretPubFile, fmt.Sprintf("%s/.ssh/id_%s.pub", currentUser.HomeDir, req.EncryptionMode)); err != nil { return err } return nil } func (u *SSHService) LoadSSHSecret(mode string) (string, error) { currentUser, err := user.Current() if err != nil { return "", fmt.Errorf("load current user failed, err: %v", err) } homeDir := currentUser.HomeDir if _, err := os.Stat(fmt.Sprintf("%s/.ssh/id_%s", homeDir, mode)); err != nil { return "", nil } file, err := os.ReadFile(fmt.Sprintf("%s/.ssh/id_%s", homeDir, mode)) return string(file), err } func (u *SSHService) LoadLog(req dto.SearchSSHLog) (*dto.SSHLog, error) { var fileList []string var data dto.SSHLog baseDir := "/var/log" if err := filepath.Walk(baseDir, func(pathItem string, info os.FileInfo, err error) error { if err != nil { return err } if !info.IsDir() && strings.HasPrefix(info.Name(), "secure") || strings.HasPrefix(info.Name(), "auth") { if strings.HasSuffix(info.Name(), ".gz") { if err := handleGunzip(pathItem); err == nil { fileList = append(fileList, strings.ReplaceAll(pathItem, ".gz", "")) } } else { fileList = append(fileList, pathItem) } } return nil }); err != nil { return nil, err } command := "" if len(req.Info) != 0 { command = fmt.Sprintf(" | grep '%s'", req.Info) } for i := 0; i < len(fileList); i++ { if strings.HasPrefix(path.Base(fileList[i]), "secure") { dataItem := loadFailedSecureDatas(fmt.Sprintf("cat %s | grep -a 'Failed password for' | grep -v 'invalid' %s", fileList[i], command)) data.FailedCount += len(dataItem) data.TotalCount += len(dataItem) if req.Status != constant.StatusSuccess { data.Logs = append(data.Logs, dataItem...) } } if strings.HasPrefix(path.Base(fileList[i]), "auth.log") { dataItem := loadFailedAuthDatas(fmt.Sprintf("cat %s | grep -a 'Connection closed by authenticating user' | grep -a 'preauth' %s", fileList[i], command)) data.FailedCount += len(dataItem) data.TotalCount += len(dataItem) if req.Status != constant.StatusSuccess { data.Logs = append(data.Logs, dataItem...) } } dataItem := loadSuccessDatas(fmt.Sprintf("cat %s | grep Accepted %s", fileList[i], command)) data.TotalCount += len(dataItem) if req.Status != constant.StatusFailed { data.Logs = append(data.Logs, dataItem...) } } data.SuccessfulCount = data.TotalCount - data.FailedCount timeNow := time.Now() nyc, _ := time.LoadLocation(common.LoadTimeZone()) for i := 0; i < len(data.Logs); i++ { data.Logs[i].IsLocal = isPrivateIP(net.ParseIP(data.Logs[i].Address)) data.Logs[i].Date, _ = time.ParseInLocation("2006 Jan 2 15:04:05", fmt.Sprintf("%d %s", timeNow.Year(), data.Logs[i].DateStr), nyc) if data.Logs[i].Date.After(timeNow) { data.Logs[i].Date = data.Logs[i].Date.AddDate(-1, 0, 0) } } sort.Slice(data.Logs, func(i, j int) bool { return data.Logs[i].Date.After(data.Logs[j].Date) }) var itemDatas []dto.SSHHistory total, start, end := len(data.Logs), (req.Page-1)*req.PageSize, req.Page*req.PageSize if start > total { itemDatas = make([]dto.SSHHistory, 0) } else { if end >= total { end = total } itemDatas = data.Logs[start:end] } data.Logs = itemDatas return &data, nil } func updateSSHConf(oldFiles []string, param string, value interface{}) []string { hasKey := false var newFiles []string for _, line := range oldFiles { if strings.HasPrefix(line, param+" ") { newFiles = append(newFiles, fmt.Sprintf("%s %v", param, value)) hasKey = true continue } newFiles = append(newFiles, line) } if !hasKey { newFiles = []string{} for _, line := range oldFiles { if strings.HasPrefix(line, fmt.Sprintf("#%s ", param)) && !hasKey { newFiles = append(newFiles, fmt.Sprintf("%s %v", param, value)) hasKey = true continue } newFiles = append(newFiles, line) } } if !hasKey { newFiles = []string{} newFiles = append(newFiles, oldFiles...) newFiles = append(newFiles, fmt.Sprintf("%s %v", param, value)) } return newFiles } func loadSuccessDatas(command string) []dto.SSHHistory { var datas []dto.SSHHistory stdout2, err := cmd.Exec(command) if err == nil { lines := strings.Split(string(stdout2), "\n") for _, line := range lines { parts := strings.Fields(line) if len(parts) < 14 { continue } historyItem := dto.SSHHistory{ DateStr: fmt.Sprintf("%s %s %s", parts[0], parts[1], parts[2]), AuthMode: parts[6], User: parts[8], Address: parts[10], Port: parts[12], Status: constant.StatusSuccess, } datas = append(datas, historyItem) } } return datas } func loadFailedAuthDatas(command string) []dto.SSHHistory { var datas []dto.SSHHistory stdout2, err := cmd.Exec(command) if err == nil { lines := strings.Split(string(stdout2), "\n") for _, line := range lines { parts := strings.Fields(line) if len(parts) < 14 { continue } historyItem := dto.SSHHistory{ DateStr: fmt.Sprintf("%s %s %s", parts[0], parts[1], parts[2]), AuthMode: parts[8], User: parts[10], Address: parts[11], Port: parts[13], Status: constant.StatusFailed, } if strings.Contains(line, ": ") { historyItem.Message = strings.Split(line, ": ")[1] } datas = append(datas, historyItem) } } return datas } func loadFailedSecureDatas(command string) []dto.SSHHistory { var datas []dto.SSHHistory stdout2, err := cmd.Exec(command) if err == nil { lines := strings.Split(string(stdout2), "\n") for _, line := range lines { parts := strings.Fields(line) if len(parts) < 14 { continue } historyItem := dto.SSHHistory{ DateStr: fmt.Sprintf("%s %s %s", parts[0], parts[1], parts[2]), AuthMode: parts[6], User: parts[8], Address: parts[10], Port: parts[12], Status: constant.StatusFailed, } if strings.Contains(line, ": ") { historyItem.Message = strings.Split(line, ": ")[1] } datas = append(datas, historyItem) } } return datas } func handleGunzip(path string) error { if _, err := cmd.Execf("gunzip %s", path); err != nil { return err } return nil } func isPrivateIP(ip net.IP) bool { if ip4 := ip.To4(); ip4 != nil { switch true { case ip4[0] == 10: return true case ip4[0] == 172 && ip4[1] >= 16 && ip4[1] <= 31: return true case ip4[0] == 192 && ip4[1] == 168: return true } } return false }