Package: sshguard Version: 1.7.1-1 Severity: important Tags: patch
Dear Maintainer,
* What led up to the situation?
1. Google Cloud instance
2. Installed sshguard
3. Added hostnames to /etc/sshguard/whitelist
4. rebooted
5. checked /var/log/auth.log and saw that it wasn't able to resolve my
whitelisted addresses (actually, logwatch read the files for me and
reported it, ...)
* What exactly did you do (or not do) that was effective (or
ineffective)?
I can change the systemd .service file (see patch)
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sshguard depends on:
ii init-system-helpers 1.48
ii iptables 1.6.0+snapshot20161117-6
ii libc6 2.24-11+deb9u1
ii lsb-base 9.20161125
sshguard recommends no packages.
sshguard suggests no packages.
-- Configuration Files:
/etc/sshguard/whitelist changed
# To see more examples, please see
# /usr/share/doc/sshguard/examples/whitelistfile.example
# Address blocks in CIDR notation
127.0.0.0/8
::1/128
10.0.0.0/8
# whitelist
www.google.com
news.google.com
mail.google.com
docs.google.com
[EOF]
/etc/resolv.conf changed
domain c.elevated-nature-167919.internal
search c.elevated-nature-167919.internal. google.internal.
nameserver 169.254.169.254
[EOF]
-- no debconf information
syslog:
Nov 21 23:59:28 machine kernel: [ 4.524706 <4524706>] ip6_tables: (C)
2000-2006 Netfilter Core Team
...
Nov 21 23:59:28 machine systemd[1]: Started SSHGuard.
...
Nov 21 23:59:28 machine sshguard-journalctl[520]: Chain INPUT (policy
ACCEPT)
...
Nov 21 23:59:28 machine dhclient[581]: Internet Systems Consortium DHCP
Client 4.3.5
Nov 21 23:59:28 machine ifup[509]: Internet Systems Consortium DHCP Client
4.3.5
...
Nov 21 23:59:29 machine ifup[509]: DHCPREQUEST of 10.128.0.6 on eth0 to
255.255.255.255 port 67
Nov 21 23:59:29 machine dhclient[581]: Sending on
LPF/eth0/42:01:0a:80:00:06
Nov 21 23:59:29 machine dhclient[581]: Sending on Socket/fallback
Nov 21 23:59:29 machine dhclient[581]: DHCPREQUEST of 10.128.0.6 on eth0 to
255.255.255.255 port 67
Nov 21 23:59:29 machine dhclient[581]: DHCPACK of 10.128.0.6 from
169.254.169.254
Nov 21 23:59:29 machine ifup[509]: DHCPACK of 10.128.0.6 from
169.254.169.254
Nov 21 23:59:29 machine dhclient[581]: bound to 10.128.0.6 -- renewal in
36358 seconds.
Nov 21 23:59:29 machine ifup[509]: bound to 10.128.0.6 -- renewal in 36358
seconds.
Nov 21 23:59:29 machine systemd[1]: Started Raise network interfaces.
Nov 21 23:59:29 machine systemd[1]: Reached target Network.
auth.log:
Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname '
www.google.com': Temporary failure in name resolution.
Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 10
from whitelist file "/etc/sshguard/whitelist".
Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname '
news.google.com': Temporary failure in name resolution.
Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 11
from whitelist file "/etc/sshguard/whitelist".
Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname '
mail.google.com': Temporary failure in name resolution.
Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 12
from whitelist file "/etc/sshguard/whitelist".
Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname '
docs.google.com': Temporary failure in name resolution.
Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 13
from whitelist file "/etc/sshguard/whitelist".
Nov 21 23:59:29 machine sshguard[537]: Monitoring attacks from stdin
You can see that sshguard starts before dhclient/ifup, and fails its dns
resolution before dhcp starts.
# ip route get 169.254.169.254
169.254.169.254 via 10.128.0.1 dev eth0 src 10.128.0.6
cache
As far as I understand, dns lookups will not work until after a network
interface (eth0) arrives.
----
systemd-analyze dump|egrep 'ssh|net|> Unit' > systemd-dump
UNITS=$(perl -ne 'next unless s/.*> Unit (.*):/$1/; print' systemd-dump )
UNITS_TO_READABLE=$(for a in $UNITS; do systemctl show $a 2>/dev/null|grep
^Desc|perl -pne "s{Description=(.*)}{s\{$a\}\{\$1 ($a)\};}"; done)
cat systemd-dump |perl -pne "$UNITS_TO_READABLE"|egrep
'Unit|Raise|SSH|Secure Shell|network.service'|sed -e
's/^->/\n\n\n->/'|egrep -C3 'Raise|SSH|Secure Shell|\(network'|egrep -A6 --
'->.*(Raise|SSH|Secure Shell|\(network)'|perl -ne 'next unless /^.../;print'
-> Unit Network (network.target):
WantedBy: Raise network interfaces (networking.service)
Before: OpenBSD Secure Shell server (ssh.service)
After: Raise network interfaces (networking.service)
ReferencedBy: OpenBSD Secure Shell server (ssh.service)
ReferencedBy: Raise network interfaces (networking.service)
-> Unit Raise network interfaces (networking.service):
Description: Raise network interfaces
CGroup: /System Slice (system.slice)/Raise network interfaces
(networking.service)
Name: Raise network interfaces (networking.service)
Fragment Path: /lib/systemd/system/Raise network interfaces
(networking.service)
-> Unit OpenBSD Secure Shell server (ssh.service):
CGroup: /System Slice (system.slice)/OpenBSD Secure Shell server
(ssh.service)
Name: OpenBSD Secure Shell server (ssh.service)
Fragment Path: /lib/systemd/system/OpenBSD Secure Shell server (ssh.service)
After: SSHGuard (sshguard.service)
ReferencedBy: SSHGuard (sshguard.service)
Command Line: /usr/sbin/sshd -D $SSHD_OPTS
-> Unit network.service (network.service):
Description: network.service (network.service)
Name: network.service (network.service)
Before: SSHGuard (sshguard.service)
ReferencedBy: SSHGuard (sshguard.service)
-> Unit SSHGuard (sshguard.service):
CGroup: /System Slice (system.slice)/SSHGuard (sshguard.service)
Name: SSHGuard (sshguard.service)
Fragment Path: /lib/systemd/system/SSHGuard (sshguard.service)
Before: OpenBSD Secure Shell server (ssh.service)
After: network.service (network.service)
References: network.service (network.service)
-> Unit Network (Pre) (network-pre.target):
Before: Raise network interfaces (networking.service)
ReferencedBy: Raise network interfaces (networking.service)
-> Unit Network is Online (network-online.target):
Wants: Raise network interfaces (networking.service)
After: Raise network interfaces (networking.service)
References: Raise network interfaces (networking.service)
ReferencedBy: Raise network interfaces (networking.service)
For SSHGuard to work, it needs to be after 'Raise network interfaces
(networking.service)'.
Right now, it's after 'network.service (network.service)', unfortunately,
they aren't the same.
I think the choices are changing the After to either:
'Raise network interfaces (networking.service)' or
'Network (network.target)'.
Based on the fact that 'OpenBSD Secure Shell server (ssh.service)' is after
'Network (network.target)', I think the latter is correct.
sshguard_1.7.1-1.debian-systemd-after-target.patch
Description: Binary data
