Hello Joao, Thanks for it
I'll work on it after jesse release. Kind regards, 2015-03-10 18:22 GMT-05:00 Joao Luis Meloni Assirati <[email protected]>: > Package: sshguard > Version: 1.5-6 > Severity: important > > Dear Maintainer, > > Sshguard has erratic behaviour on bootup, sometimes failing to start, > sometimes starting itself but unable to function. > > This is due to the fact that the init script /etc/init.d/sshguard is not able > to configure the chain sshguard with iptables. > > This would be done by the following commands in /etc/init.d/sshguard script: > > iptables -N sshguard 2> /dev/null > ip6tables -N sshguard 2> /dev/null > iptables -I INPUT -j sshguard 2> /dev/null > ip6tables -I INPUT -j sshguard 2> /dev/null > > Unfortunately, stderr is discarded. Removing the stderr redirection, the > following message appears: > > "Another app is currently holding the xtables lock." > > This happens because the first iptables returns before the kernel is properly > configured, which prevents the following three. > > One way to fix this issue is to call iptables and ip6tables commands with > switch -w: > > iptables -w -N sshguard > ip6tables -w -N sshguard > iptables -w -I INPUT -j sshguard > ip6tables -w -I INPUT -j sshguard > > Attached is my modified /etc/init.d/sshguard. > > > -- System Information: > Debian Release: 8.0 > APT prefers testing-updates > APT policy: (500, 'testing-updates'), (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) > Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages sshguard depends on: > ii iptables 1.4.21-2+b1 > ii libc6 2.19-15 > > sshguard recommends no packages. > > sshguard suggests no packages. > > -- Configuration Files: > /etc/init.d/sshguard changed: > PATH=/sbin:/usr/sbin:/bin:/usr/bin > DESC="SSHGuard Server" > NAME=sshguard > DAEMON=/usr/sbin/$NAME > PIDFILE=/var/run/$NAME.pid > SCRIPTNAME=/etc/init.d/$NAME > DAEMON_ARGS="-i $PIDFILE" > OS=$(uname) > [ ! -x "$DAEMON" ] && log_warning_msg "No valid daemon $DAEMON for $NAME, > exiting" && exit 0 > [ -r /etc/default/$NAME ] && . /etc/default/$NAME > . /lib/init/vars.sh > . /lib/lsb/init-functions > LOGS=0 > for logfile in $LOGFILES; do [ -r "$logfile" ] && DAEMON_ARGS="$DAEMON_ARGS > -l $logfile" && LOGS=$((LOGS+1)); done > [ $LOGS = 0 ] && log_warning_msg "No valid logs to scan by $NAME, exiting" && > exit 0 > DAEMON_ARGS="$DAEMON_ARGS -w $WHITELIST $ARGS" > if [ "$OS" = "Linux" ]; then > # > # Function that enables firewall > # > do_enable_firewall() > { > log_progress_msg "enabling firewall" > # creating sshguard chain > iptables -w -N sshguard > ip6tables -w -N sshguard > # block traffic from abusers > iptables -w -I INPUT -j sshguard > ip6tables -w -I INPUT -j sshguard > } > # > # Function that disables firewall > # > do_disable_firewall() > { > log_progress_msg "disabling firewall" > # flushes list of abusers > iptables -F sshguard 2> /dev/null > ip6tables -F sshguard 2> /dev/null > # removes sshguard firewall rules > iptables -D INPUT -j sshguard 2> /dev/null > ip6tables -D INPUT -j sshguard 2> /dev/null > # removing sshguard chain > iptables -X sshguard 2> /dev/null > ip6tables -X sshguard 2> /dev/null > } > else > # KfreeBSD code > # > # Function that enables firewall > # > do_enable_firewall() > { > log_progress_msg "enabling firewall" > # create sshguard firewall rules > PF_AVAILABLE=$(lsmod |grep pf.ko |awk {'print $5'}) > if [ "$PF_AVAILABLE" != "pf.ko" ]; then > kldload pf > fi > pfctl -e 2> /dev/null # Enable PF > # Loading sshguard table and rules > pfctl -f /etc/sshguard/sshguard.conf 2> /dev/null > } > # > # Function that disables firewall > # > do_disable_firewall() > { > log_progress_msg "disabling firewall" > # flushes list of abusers > pfctl -Tflush -t sshguard 2> /dev/null > # removes sshguard firewall rules > pfctl -Tdel -t sshguard 2> /dev/null > # removing sshguard table > pfctl -Tkill -t sshguard 2> /dev/null > } > fi > case "$1" in > start) > log_daemon_msg "Starting $DESC" "$NAME" > if [ "$ENABLE_FIREWALL" = "1" ]; then > do_enable_firewall > fi > if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE > --exec $DAEMON --background -- $DAEMON_ARGS; then > log_end_msg 0 > else > log_end_msg 1 > fi > ;; > stop) > log_daemon_msg "Stopping $DESC" "$NAME" > if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE; then > ret=0 > else > ret=1 > fi > if [ "$ENABLE_FIREWALL" = "1" ]; then > do_disable_firewall > fi > log_end_msg $ret > ;; > restart|force-reload) > log_daemon_msg "Restarting $DESC" "$NAME" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > $PIDFILE > if [ "$ENABLE_FIREWALL" = "1" ]; then > do_disable_firewall > do_enable_firewall > fi > if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE > --exec $DAEMON --background -- $DAEMON_ARGS; then > log_end_msg 0 > else > log_end_msg 1 > fi > ;; > status) > status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || > exit $? > ;; > *) > log_action_msg "Usage: $SCRIPTNAME > {start|stop|force-reload|restart|status}" > exit 3 > ;; > esac > > > -- no debconf information -- Julián Moreno Patiño Debian Developer .''`. Debian GNU/{Linux,KfreeBSD} : :' : Free Operating Systems `. `' http://debian.org/ `- GPG Fingerprint: C2C8 904E 314C D8FA 041D 9B00 D5FD FC15 6168 BF60 Registered GNU Linux User ID 488513 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
