** Description changed:
+ [Impact]
+
+ * sshguard.service does not start correctly on systems upgraded from bionic
to focal.
+ * sshguard.service hardcodes paths to iptables binary. However, said path
has changed in focal+ in the iptables package.
+ * This issue impacts installations of bionic that upgrade to focal, but not
new installs of focal. Newly installed focal systems have usr-merge feature,
which all binaries accessible from either / or /usr prefix. This is not the
case yet, when upgrading from bionic.
+
+ [Test Case]
+
+ * Install bionic
+ * Install sshguard, check that it starts
+ * dist-upgrade to focal
+ * Check that sshguard runs and that iptables rules are updated
+
+ [Workaround]
+
+ * Users can convert their systems to usrmerge to mitigate the issue by doing:
+ $ sudo apt install usrmerge
+
+ [Regression Potential]
+
+ * The bugfix to update to the correct path will work on either
+ upgraded, or freshly installed systems. Currently sshguard is quite
+ broken without sshguard firewall rules applied correctly. After
+ installing this update, users may experience that sshguard is
+ enforcing/blocking access, whilst previously it was very ineffective at
+ doing so.
+
+ [Other Info]
+
+ * Original bug report
+
sshguard 2.3.1-1ubuntu1; focal
/lib/systemd/system/sshguard.service has:
ExecStartPre=-/sbin/iptables -N sshguard
ExecStartPre=-/sbin/ip6tables -N sshguard
ExecStopPost=-/sbin/iptables -X sshguard
ExecStopPost=-/sbin/ip6tables -X sshguard
iptables and ip6tables are now in /usr/sbin, not /sbin. So the sshguard
chain never gets created/deleted.
sshg-fw-iptables assumes that this chain exists, so it fails to actually
block any attacker:
Jun 23 22:54:18 fenrir sshguard[677248]: Attack from "192.0.2.1" on service
110 with danger 10.
Jun 23 22:54:18 fenrir sshguard[677248]: Blocking "192.0.2.1/32" for 122880
secs (3 attacks in 1 secs, after 11 abuses over 184099 secs.)
Jun 23 22:54:18 fenrir sshguard[1191669]: iptables: No chain/target/match by
that name.
Jun 23 23:46:49 fenrir sshguard[1198650]: iptables: Bad rule (does a matching
rule exist in that chain?).
** Also affects: sshguard (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: sshguard (Ubuntu)
Status: Confirmed => Fix Committed
** Changed in: sshguard (Ubuntu Focal)
Status: New => Confirmed
** Changed in: sshguard (Ubuntu Focal)
Importance: Undecided => High
** Changed in: sshguard (Ubuntu Focal)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1884848
Title:
sshguard.service uses wrong path for iptables; nothing actually gets
blocked
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshguard/+bug/1884848/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
