Package: sshguard Version: 1.7.1-1 Severity: important Tags: patch
Dear Maintainer, * What led up to the situation? 1. Google Cloud instance 2. Installed sshguard 3. Added hostnames to /etc/sshguard/whitelist 4. rebooted 5. checked /var/log/auth.log and saw that it wasn't able to resolve my whitelisted addresses (actually, logwatch read the files for me and reported it, ...) * What exactly did you do (or not do) that was effective (or ineffective)? I can change the systemd .service file (see patch) -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sshguard depends on: ii init-system-helpers 1.48 ii iptables 1.6.0+snapshot20161117-6 ii libc6 2.24-11+deb9u1 ii lsb-base 9.20161125 sshguard recommends no packages. sshguard suggests no packages. -- Configuration Files: /etc/sshguard/whitelist changed # To see more examples, please see # /usr/share/doc/sshguard/examples/whitelistfile.example # Address blocks in CIDR notation 127.0.0.0/8 ::1/128 10.0.0.0/8 # whitelist www.google.com news.google.com mail.google.com docs.google.com [EOF] /etc/resolv.conf changed domain c.elevated-nature-167919.internal search c.elevated-nature-167919.internal. google.internal. nameserver 169.254.169.254 [EOF] -- no debconf information syslog: Nov 21 23:59:28 machine kernel: [ 4.524706 <4524706>] ip6_tables: (C) 2000-2006 Netfilter Core Team ... Nov 21 23:59:28 machine systemd[1]: Started SSHGuard. ... Nov 21 23:59:28 machine sshguard-journalctl[520]: Chain INPUT (policy ACCEPT) ... Nov 21 23:59:28 machine dhclient[581]: Internet Systems Consortium DHCP Client 4.3.5 Nov 21 23:59:28 machine ifup[509]: Internet Systems Consortium DHCP Client 4.3.5 ... Nov 21 23:59:29 machine ifup[509]: DHCPREQUEST of 10.128.0.6 on eth0 to 255.255.255.255 port 67 Nov 21 23:59:29 machine dhclient[581]: Sending on LPF/eth0/42:01:0a:80:00:06 Nov 21 23:59:29 machine dhclient[581]: Sending on Socket/fallback Nov 21 23:59:29 machine dhclient[581]: DHCPREQUEST of 10.128.0.6 on eth0 to 255.255.255.255 port 67 Nov 21 23:59:29 machine dhclient[581]: DHCPACK of 10.128.0.6 from 169.254.169.254 Nov 21 23:59:29 machine ifup[509]: DHCPACK of 10.128.0.6 from 169.254.169.254 Nov 21 23:59:29 machine dhclient[581]: bound to 10.128.0.6 -- renewal in 36358 seconds. Nov 21 23:59:29 machine ifup[509]: bound to 10.128.0.6 -- renewal in 36358 seconds. Nov 21 23:59:29 machine systemd[1]: Started Raise network interfaces. Nov 21 23:59:29 machine systemd[1]: Reached target Network. auth.log: Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname ' www.google.com': Temporary failure in name resolution. Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 10 from whitelist file "/etc/sshguard/whitelist". Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname ' news.google.com': Temporary failure in name resolution. Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 11 from whitelist file "/etc/sshguard/whitelist". Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname ' mail.google.com': Temporary failure in name resolution. Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 12 from whitelist file "/etc/sshguard/whitelist". Nov 21 23:59:28 machine sshguard[537]: Could not resolve hostname ' docs.google.com': Temporary failure in name resolution. Nov 21 23:59:28 machine sshguard[537]: whitelist: Unable to handle line 13 from whitelist file "/etc/sshguard/whitelist". Nov 21 23:59:29 machine sshguard[537]: Monitoring attacks from stdin You can see that sshguard starts before dhclient/ifup, and fails its dns resolution before dhcp starts. # ip route get 169.254.169.254 169.254.169.254 via 10.128.0.1 dev eth0 src 10.128.0.6 cache As far as I understand, dns lookups will not work until after a network interface (eth0) arrives. ---- systemd-analyze dump|egrep 'ssh|net|> Unit' > systemd-dump UNITS=$(perl -ne 'next unless s/.*> Unit (.*):/$1/; print' systemd-dump ) UNITS_TO_READABLE=$(for a in $UNITS; do systemctl show $a 2>/dev/null|grep ^Desc|perl -pne "s{Description=(.*)}{s\{$a\}\{\$1 ($a)\};}"; done) cat systemd-dump |perl -pne "$UNITS_TO_READABLE"|egrep 'Unit|Raise|SSH|Secure Shell|network.service'|sed -e 's/^->/\n\n\n->/'|egrep -C3 'Raise|SSH|Secure Shell|\(network'|egrep -A6 -- '->.*(Raise|SSH|Secure Shell|\(network)'|perl -ne 'next unless /^.../;print' -> Unit Network (network.target): WantedBy: Raise network interfaces (networking.service) Before: OpenBSD Secure Shell server (ssh.service) After: Raise network interfaces (networking.service) ReferencedBy: OpenBSD Secure Shell server (ssh.service) ReferencedBy: Raise network interfaces (networking.service) -> Unit Raise network interfaces (networking.service): Description: Raise network interfaces CGroup: /System Slice (system.slice)/Raise network interfaces (networking.service) Name: Raise network interfaces (networking.service) Fragment Path: /lib/systemd/system/Raise network interfaces (networking.service) -> Unit OpenBSD Secure Shell server (ssh.service): CGroup: /System Slice (system.slice)/OpenBSD Secure Shell server (ssh.service) Name: OpenBSD Secure Shell server (ssh.service) Fragment Path: /lib/systemd/system/OpenBSD Secure Shell server (ssh.service) After: SSHGuard (sshguard.service) ReferencedBy: SSHGuard (sshguard.service) Command Line: /usr/sbin/sshd -D $SSHD_OPTS -> Unit network.service (network.service): Description: network.service (network.service) Name: network.service (network.service) Before: SSHGuard (sshguard.service) ReferencedBy: SSHGuard (sshguard.service) -> Unit SSHGuard (sshguard.service): CGroup: /System Slice (system.slice)/SSHGuard (sshguard.service) Name: SSHGuard (sshguard.service) Fragment Path: /lib/systemd/system/SSHGuard (sshguard.service) Before: OpenBSD Secure Shell server (ssh.service) After: network.service (network.service) References: network.service (network.service) -> Unit Network (Pre) (network-pre.target): Before: Raise network interfaces (networking.service) ReferencedBy: Raise network interfaces (networking.service) -> Unit Network is Online (network-online.target): Wants: Raise network interfaces (networking.service) After: Raise network interfaces (networking.service) References: Raise network interfaces (networking.service) ReferencedBy: Raise network interfaces (networking.service) For SSHGuard to work, it needs to be after 'Raise network interfaces (networking.service)'. Right now, it's after 'network.service (network.service)', unfortunately, they aren't the same. I think the choices are changing the After to either: 'Raise network interfaces (networking.service)' or 'Network (network.target)'. Based on the fact that 'OpenBSD Secure Shell server (ssh.service)' is after 'Network (network.target)', I think the latter is correct.
sshguard_1.7.1-1.debian-systemd-after-target.patch
Description: Binary data