Package: sshguard
Version: 2.4.3-1
Severity: minor
Tags: patch
Dear Maintainer,
systemctl stop sshguard always give the following two kinds of errors:
1. Exit status is nonzero and an error is left in a journal as
Dec 30 10:06:58 raspi4b-router2 sshguard[1852]: Exiting on signal.
Dec 30 10:06:58 raspi4b-router2 systemd[1]: Stopping sshguard.service -
SSHGuard...
Dec 30 10:06:58 raspi4b-router2 systemd[1]: sshguard.service: Main process
exited, code=exited, status=143/n/a
Dec 30 10:06:58 raspi4b-router2 systemd[1]: sshguard.service: Failed with
result 'exit-code'.
This can be fixed by explicitly giving the exit status 0 in /sbin/sshguard.
2. "nft" command invoked by /usr/libexec/sshguard/sshg-fw-nft-set always
complains as
Dec 30 10:06:58 raspi4b-router2 nft[3743]: Error: No such file or directory;
did you mean table 'sshguard' in family ip6?
Dec 30 10:06:58 raspi4b-router2 nft[3743]: delete table ip sshguard
Dec 30 10:06:58 raspi4b-router2 nft[3743]: ^^^^^^^^
The reason is that the table "sshguard" is removed twice by both
/usr/libexec/sshguard/sshg-fw-nft-set and
ExecStopPost in /lib/systemd/system/sshguard.service
Suggested patch is attached below.
It also seems that ExecStartPre is unnecessary in
/lib/systemd/system/sshguard.service
as nft table "sshguard" is made by /usr/libexec/sshguard/sshg-fw-nft-set
Best regards, Ryutaroh Matsumoto
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.12.6-rt-arm64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sshguard depends on:
ii init-system-helpers 1.68
ii libc6 2.40-4
ii sysvinit-utils [lsb-base] 3.11-1
Versions of packages sshguard recommends:
ii nftables 1.1.1-1
sshguard suggests no packages.
-- Configuration Files:
/etc/sshguard/sshguard.conf changed:
BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets"
LOGREADER="LANG=C journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4
SYSLOG_FACILITY=10"
THRESHOLD=13
BLOCK_TIME=1200
DETECTION_TIME=18000
WHITELIST_FILE=/etc/sshguard/whitelist
-- no debconf information
--- sbin/sshguard.orig 2024-04-08 10:22:20.000000000 +0900
+++ sbin/sshguard 2025-01-11 09:31:00.318955841 +0900
@@ -27,7 +27,7 @@
if [ -n "$PID_FILE" ]; then
rm -f "$PID_FILE"
fi
- exit
+ exit 0
}
# Source configuration file
--- lib/systemd/system/sshguard.service 2024-04-08 10:14:30.000000000 +0900
+++ etc/systemd/system/sshguard.service 2025-01-11 09:34:25.019986169 +0900
@@ -6,10 +6,6 @@
[Service]
PIDFile=/run/sshguard.pid
-ExecStartPre=-/usr/sbin/nft add table ip sshguard
-ExecStartPre=-/usr/sbin/nft add table ip6 sshguard
-ExecStopPost=-/usr/sbin/nft delete table ip sshguard
-ExecStopPost=-/usr/sbin/nft delete table ip6 sshguard
ExecStart=/usr/sbin/sshguard
[Install]
