Дмитрий
137 lines
5.6 KiB
YAML
137 lines
5.6 KiB
YAML
name: Diagnose SSH access to liderra.ru
|
|
|
|
# Цель: понять, почему dev-IP 89.144.17.119 не пускают по SSH.
|
|
# Запускается вручную: gh workflow run ssh-diagnose.yml -f dev_ip=89.144.17.119
|
|
# Ничего не меняет на проде — только читает состояние fail2ban / iptables / sshd /
|
|
# auth.log.
|
|
#
|
|
# Использует тот же LIDERRA_SSH_KEY что и deploy.yml.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
dev_ip:
|
|
description: 'IP который нужно проверить на блок (по умолчанию 89.144.17.119)'
|
|
required: true
|
|
default: '89.144.17.119'
|
|
type: string
|
|
|
|
jobs:
|
|
diagnose:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
|
|
env:
|
|
LIDERRA_HOST: 111.88.246.137
|
|
LIDERRA_USER: ubuntu
|
|
DEV_IP: ${{ github.event.inputs.dev_ip }}
|
|
|
|
steps:
|
|
- name: Setup SSH key
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
|
|
chmod 600 ~/.ssh/liderra_deploy
|
|
ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: Run diagnostic queries on prod
|
|
run: |
|
|
ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
|
|
"DEV_IP='${DEV_IP}' bash -s" <<'REMOTE' | tee /tmp/diagnose.log
|
|
set +e
|
|
echo "=== 1. fail2ban status (sshd jail) ==="
|
|
sudo fail2ban-client status sshd 2>&1 | head -30 || echo "fail2ban not available"
|
|
|
|
echo
|
|
echo "=== 2. Is ${DEV_IP} currently banned by fail2ban? ==="
|
|
sudo fail2ban-client get sshd banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN fail2ban banlist"
|
|
|
|
echo
|
|
echo "=== 3. Recent fail2ban actions for ${DEV_IP} (last 50 lines) ==="
|
|
sudo grep -F "${DEV_IP}" /var/log/fail2ban.log 2>/dev/null | tail -50 || echo "no fail2ban log entries"
|
|
|
|
echo
|
|
echo "=== 4. iptables INPUT rules referencing ${DEV_IP} or :22 ==="
|
|
sudo iptables -L INPUT -n -v --line-numbers 2>&1 | grep -E "(${DEV_IP}|dpt:22|tcp dpt:ssh|f2b)" || echo "no specific INPUT rules"
|
|
|
|
echo
|
|
echo "=== 5. iptables chains containing fail2ban (f2b-*) ==="
|
|
sudo iptables -L -n 2>&1 | grep -E "^Chain (f2b|INPUT)" | head -10
|
|
|
|
echo
|
|
echo "=== 6. Full f2b-sshd chain (entries banning IPs) ==="
|
|
sudo iptables -L f2b-sshd -n -v --line-numbers 2>&1 | head -40 || echo "no f2b-sshd chain"
|
|
|
|
echo
|
|
echo "=== 7. Recent SSH failed attempts from ${DEV_IP} (last 30 lines auth.log) ==="
|
|
sudo grep -F "${DEV_IP}" /var/log/auth.log 2>/dev/null | tail -30 || echo "no auth.log entries"
|
|
|
|
echo
|
|
echo "=== 8. Active sshd config: AllowUsers / DenyUsers / Match blocks ==="
|
|
sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config 2>&1 || true
|
|
sudo ls /etc/ssh/sshd_config.d/ 2>&1
|
|
sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config.d/*.conf 2>/dev/null || echo "no relevant entries in sshd_config.d"
|
|
|
|
echo
|
|
echo "=== 9. hosts.deny / hosts.allow ==="
|
|
echo "--- /etc/hosts.deny ---"
|
|
sudo cat /etc/hosts.deny 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
|
|
echo "--- /etc/hosts.allow ---"
|
|
sudo cat /etc/hosts.allow 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
|
|
|
|
echo
|
|
echo "=== 10. ufw status (если используется) ==="
|
|
sudo ufw status verbose 2>&1 | head -20 || echo "ufw not active"
|
|
|
|
echo
|
|
echo "=== 11. nftables ruleset (если активен) ==="
|
|
sudo nft list ruleset 2>&1 | head -40 || echo "nftables not active"
|
|
|
|
echo
|
|
echo "=== 12. Last 5 successful SSH logins (who logged in last) ==="
|
|
last -n 5 ubuntu 2>&1 | head -10
|
|
|
|
echo
|
|
echo "=== 13. Full content of /etc/ssh/sshd_config.d/01-claude.conf ==="
|
|
sudo cat /etc/ssh/sshd_config.d/01-claude.conf 2>&1 | head -80
|
|
|
|
echo
|
|
echo "=== 14. nftables full ruleset (f2b-table content) ==="
|
|
sudo nft list ruleset 2>&1 | head -120
|
|
|
|
echo
|
|
echo "=== 15. journalctl ssh.service last 30min ==="
|
|
sudo journalctl -u ssh.service --since="30 minutes ago" --no-pager 2>&1 | tail -40
|
|
|
|
echo
|
|
echo "=== 16. /etc/fail2ban/jail.d/ content ==="
|
|
sudo ls -la /etc/fail2ban/jail.d/ 2>&1
|
|
echo "--- whitelist-dev.conf ---"
|
|
sudo cat /etc/fail2ban/jail.d/whitelist-dev.conf 2>&1 || echo "(missing)"
|
|
echo "--- jail.local ---"
|
|
sudo cat /etc/fail2ban/jail.local 2>&1 | head -40 || echo "(missing)"
|
|
|
|
echo
|
|
echo "=== 17. recidive jail (if any — long-term ban) ==="
|
|
sudo fail2ban-client status recidive 2>&1 | head -20 || echo "no recidive jail"
|
|
sudo fail2ban-client get recidive banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN recidive"
|
|
|
|
echo
|
|
echo "=== DONE ==="
|
|
REMOTE
|
|
|
|
- name: Print summary
|
|
if: always()
|
|
run: |
|
|
{
|
|
echo "## SSH diagnostic for $DEV_IP → $LIDERRA_HOST"
|
|
echo
|
|
echo '```'
|
|
cat /tmp/diagnose.log 2>/dev/null || echo "(no log captured)"
|
|
echo '```'
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Cleanup SSH key
|
|
if: always()
|
|
run: rm -f ~/.ssh/liderra_deploy
|