Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy synced 2025-06-26 18:27:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: Security Audit SSH Errors #1377

Browse Source 
- Fixed SSH key authentication detection in server-audit.ts
- Added proper handling for prohibit-password and other secure root login options
- Fixed typos in security audit UI labels
- Improved error handling with optional chaining
This commit is contained in:
Jason Parks 2025-03-22 14:26:40 -06:00
parent ff3d444b89
commit fc7eff94b6
2 changed files with 86 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
apps/dokploy/components/dashboard/settings/servers/security-audit.tsx
View File

@ -26,6 +26,16 @@ export const SecurityAudit = ({ serverId }: Props) => {
},
);
const _utils = api.useUtils();
// Helper function to check if root login is securely configured
const isRootLoginSecure = () => {
if (!data?.ssh?.permitRootLogin) return false;
// These are secure options for PermitRootLogin
const secureOptions = ['no', 'prohibit-password', 'without-password', 'forced-commands-only'];
return secureOptions.includes(data.ssh.permitRootLogin);
};
return (
<CardContent className="p-0">
<div className="flex flex-col gap-4">
@ -36,10 +46,10 @@ export const SecurityAudit = ({ serverId }: Props) => {
<div className="flex items-center gap-2">
<LockKeyhole className="size-5" />
<CardTitle className="text-xl">
Setup Security Sugestions
Setup Security Suggestions
</CardTitle>
</div>
<CardDescription>Check the security sugestions</CardDescription>
<CardDescription>Check the security suggestions</CardDescription>
</div>
<Button
isLoading={isRefreshing}
@ -120,36 +130,45 @@ export const SecurityAudit = ({ serverId }: Props) => {
<div className="grid gap-2.5">
<StatusRow
label="Enabled"
isEnabled={data?.ssh.enabled}
isEnabled={data?.ssh?.enabled}
description={
data?.ssh.enabled
data?.ssh?.enabled
? "Enabled"
: "Not Enabled (SSH should be enabled)"
}
/>
<StatusRow
label="Key Auth"
isEnabled={data?.ssh.keyAuth}
isEnabled={data?.ssh?.keyAuth}
description={
data?.ssh.keyAuth
data?.ssh?.keyAuth
? "Enabled (Recommended)"
: "Not Enabled (Key Authentication should be enabled)"
}
/>
<StatusRow
label="Password Auth"
isEnabled={data?.ssh.passwordAuth === "no"}
isEnabled={data?.ssh?.passwordAuth === "no"}
description={
data?.ssh.passwordAuth === "no"
data?.ssh?.passwordAuth === "no"
? "Disabled (Recommended)"
: "Enabled (Password Authentication should be disabled)"
}
/>
<StatusRow
label="Use PAM"
isEnabled={data?.ssh.usePam === "no"}
label="Root Login"
isEnabled={isRootLoginSecure()}
description={
data?.ssh.usePam === "no"
isRootLoginSecure()
? `${data?.ssh?.permitRootLogin} (Secure)`
: `${data?.ssh?.permitRootLogin || "yes"} (Should be set to 'prohibit-password' or 'no')`
}
/>
<StatusRow
label="Use PAM"
isEnabled={data?.ssh?.usePam === "no"}
description={
data?.ssh?.usePam === "no"
? "Disabled (Recommended for key-based auth)"
: "Enabled (Should be disabled when using key-based auth)"
}
@ -166,9 +185,9 @@ export const SecurityAudit = ({ serverId }: Props) => {
<div className="grid gap-2.5">
<StatusRow
label="Installed"
isEnabled={data?.fail2ban.installed}
isEnabled={data?.fail2ban?.installed}
description={
data?.fail2ban.installed
data?.fail2ban?.installed
? "Installed (Recommended)"
: "Not Installed (Fail2Ban should be installed for protection against brute force attacks)"
}
@ -176,18 +195,18 @@ export const SecurityAudit = ({ serverId }: Props) => {
<StatusRow
label="Enabled"
isEnabled={data?.fail2ban.enabled}
isEnabled={data?.fail2ban?.enabled}
description={
data?.fail2ban.enabled
data?.fail2ban?.enabled
? "Enabled (Recommended)"
: "Not Enabled (Fail2Ban service should be enabled)"
}
/>
<StatusRow
label="Active"
isEnabled={data?.fail2ban.active}
isEnabled={data?.fail2ban?.active}
description={
data?.fail2ban.active
data?.fail2ban?.active
? "Active (Recommended)"
: "Not Active (Fail2Ban service should be running)"
}
@ -195,9 +214,9 @@ export const SecurityAudit = ({ serverId }: Props) => {
<StatusRow
label="SSH Protection"
isEnabled={data?.fail2ban.sshEnabled === "true"}
isEnabled={data?.fail2ban?.sshEnabled === "true"}
description={
data?.fail2ban.sshEnabled === "true"
data?.fail2ban?.sshEnabled === "true"
? "Enabled (Recommended)"
: "Not Enabled (SSH protection should be enabled to prevent brute force attacks)"
}
@ -205,11 +224,11 @@ export const SecurityAudit = ({ serverId }: Props) => {
<StatusRow
label="SSH Mode"
isEnabled={data?.fail2ban.sshMode === "aggressive"}
isEnabled={data?.fail2ban?.sshMode === "aggressive"}
description={
data?.fail2ban.sshMode === "aggressive"
data?.fail2ban?.sshMode === "aggressive"
? "Aggressive Mode (Recommended)"
: `Mode: ${data?.fail2ban.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
: `Mode: ${data?.fail2ban?.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
}
/>
</div>
@ -221,4 +240,4 @@ export const SecurityAudit = ({ serverId }: Props) => {
</div>
</CardContent>
);
};
};

51
packages/server/src/setup/server-audit.ts
View File

@ -14,13 +14,50 @@ const validateUfw = () => `
`;
const validateSsh = () => `
if systemctl is-active --quiet sshd; then
if systemctl is-active --quiet sshd || systemctl is-active --quiet ssh; then
isEnabled=true
hasKeyAuth=$(find "$HOME/.ssh" -type f -name "authorized_keys" 2>/dev/null | grep -q . && echo true || echo false)
permitRootLogin=$(sudo sshd -T | grep -i "^PermitRootLogin" | awk '{print $2}')
passwordAuth=$(sudo sshd -T | grep -i "^PasswordAuthentication" | awk '{print $2}')
usePam=$(sudo sshd -T | grep -i "^UsePAM" | awk '{print $2}')
echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $hasKeyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
# Get the sshd config file path
sshd_config=$(sudo sshd -T 2>/dev/null | grep -i "^configfile" | awk '{print $2}')
# If we couldn't get the path, use the default
if [ -z "$sshd_config" ]; then
sshd_config="/etc/ssh/sshd_config"
fi
# Check for key authentication
# SSH key auth is enabled by default unless explicitly disabled
pubkey_line=$(sudo grep -i "^PubkeyAuthentication" "$sshd_config" 2>/dev/null | grep -v "#")
if [ -z "$pubkey_line" ] || echo "$pubkey_line" | grep -q -i "yes"; then
keyAuth=true
else
keyAuth=false
fi
# Get the exact PermitRootLogin value from config
# This preserves values like "prohibit-password" without normalization
permitRootLogin=$(sudo grep -i "^PermitRootLogin" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
if [ -z "$permitRootLogin" ]; then
# Default is prohibit-password in newer versions
permitRootLogin="prohibit-password"
fi
# Get the exact PasswordAuthentication value from config
passwordAuth=$(sudo grep -i "^PasswordAuthentication" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
if [ -z "$passwordAuth" ]; then
# Default is yes
passwordAuth="yes"
fi
# Get the exact UsePAM value from config
usePam=$(sudo grep -i "^UsePAM" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
if [ -z "$usePam" ]; then
# Default is yes in most distros
usePam="yes"
fi
# Return the results with exact values from config file
echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $keyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
else
echo "{\\"enabled\\": false, \\"keyAuth\\": false, \\"permitRootLogin\\": \\"unknown\\", \\"passwordAuth\\": \\"unknown\\", \\"usePam\\": \\"unknown\\"}"
fi
@ -111,4 +148,4 @@ export const serverAudit = async (serverId: string) => {
privateKey: server.sshKey?.privateKey,
});
});
};
};