Package: sshguard
Version: 1.5-6
Severity: important
Dear Maintainer,
Sshguard has erratic behaviour on bootup, sometimes failing to start, sometimes
starting itself but unable to function.
This is due to the fact that the init script /etc/init.d/sshguard is not able
to configure the chain sshguard with iptables.
This would be done by the following commands in /etc/init.d/sshguard script:
iptables -N sshguard 2> /dev/null
ip6tables -N sshguard 2> /dev/null
iptables -I INPUT -j sshguard 2> /dev/null
ip6tables -I INPUT -j sshguard 2> /dev/null
Unfortunately, stderr is discarded. Removing the stderr redirection, the
following message appears:
"Another app is currently holding the xtables lock."
This happens because the first iptables returns before the kernel is properly
configured, which prevents the following three.
One way to fix this issue is to call iptables and ip6tables commands with
switch -w:
iptables -w -N sshguard
ip6tables -w -N sshguard
iptables -w -I INPUT -j sshguard
ip6tables -w -I INPUT -j sshguard
Attached is my modified /etc/init.d/sshguard.
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sshguard depends on:
ii iptables 1.4.21-2+b1
ii libc6 2.19-15
sshguard recommends no packages.
sshguard suggests no packages.
-- Configuration Files:
/etc/init.d/sshguard changed:
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="SSHGuard Server"
NAME=sshguard
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
DAEMON_ARGS="-i $PIDFILE"
OS=$(uname)
[ ! -x "$DAEMON" ] && log_warning_msg "No valid daemon $DAEMON for $NAME,
exiting" && exit 0
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
. /lib/init/vars.sh
. /lib/lsb/init-functions
LOGS=0
for logfile in $LOGFILES; do [ -r "$logfile" ] && DAEMON_ARGS="$DAEMON_ARGS -l
$logfile" && LOGS=$((LOGS+1)); done
[ $LOGS = 0 ] && log_warning_msg "No valid logs to scan by $NAME, exiting" &&
exit 0
DAEMON_ARGS="$DAEMON_ARGS -w $WHITELIST $ARGS"
if [ "$OS" = "Linux" ]; then
#
# Function that enables firewall
#
do_enable_firewall()
{
log_progress_msg "enabling firewall"
# creating sshguard chain
iptables -w -N sshguard
ip6tables -w -N sshguard
# block traffic from abusers
iptables -w -I INPUT -j sshguard
ip6tables -w -I INPUT -j sshguard
}
#
# Function that disables firewall
#
do_disable_firewall()
{
log_progress_msg "disabling firewall"
# flushes list of abusers
iptables -F sshguard 2> /dev/null
ip6tables -F sshguard 2> /dev/null
# removes sshguard firewall rules
iptables -D INPUT -j sshguard 2> /dev/null
ip6tables -D INPUT -j sshguard 2> /dev/null
# removing sshguard chain
iptables -X sshguard 2> /dev/null
ip6tables -X sshguard 2> /dev/null
}
else
# KfreeBSD code
#
# Function that enables firewall
#
do_enable_firewall()
{
log_progress_msg "enabling firewall"
# create sshguard firewall rules
PF_AVAILABLE=$(lsmod |grep pf.ko |awk {'print $5'})
if [ "$PF_AVAILABLE" != "pf.ko" ]; then
kldload pf
fi
pfctl -e 2> /dev/null # Enable PF
# Loading sshguard table and rules
pfctl -f /etc/sshguard/sshguard.conf 2> /dev/null
}
#
# Function that disables firewall
#
do_disable_firewall()
{
log_progress_msg "disabling firewall"
# flushes list of abusers
pfctl -Tflush -t sshguard 2> /dev/null
# removes sshguard firewall rules
pfctl -Tdel -t sshguard 2> /dev/null
# removing sshguard table
pfctl -Tkill -t sshguard 2> /dev/null
}
fi
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if [ "$ENABLE_FIREWALL" = "1" ]; then
do_enable_firewall
fi
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --exec
$DAEMON --background -- $DAEMON_ARGS; then
log_end_msg 0
else
log_end_msg 1
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE; then
ret=0
else
ret=1
fi
if [ "$ENABLE_FIREWALL" = "1" ]; then
do_disable_firewall
fi
log_end_msg $ret
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE
if [ "$ENABLE_FIREWALL" = "1" ]; then
do_disable_firewall
do_enable_firewall
fi
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --exec
$DAEMON --background -- $DAEMON_ARGS; then
log_end_msg 0
else
log_end_msg 1
fi
;;
status)
status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 ||
exit $?
;;
*)
log_action_msg "Usage: $SCRIPTNAME
{start|stop|force-reload|restart|status}"
exit 3
;;
esac
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
