sshguard.service uses wrong path for iptables; nothing actually gets blocked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sshguard (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* sshguard.service does not start correctly on systems upgraded from bionic to focal.
* sshguard.service hardcodes paths to iptables binary. However, said path has changed in focal+ in the iptables package.
* This issue impacts installations of bionic that upgrade to focal, but not new installs of focal. Newly installed focal systems have usr-merge feature, which all binaries accessible from either / or /usr prefix. This is not the case yet, when upgrading from bionic.
[Test Case]
* Install bionic
* Install sshguard, check that it starts
* dist-upgrade to focal
* Check that sshguard runs and that iptables rules are updated
[Workaround]
* Users can convert their systems to usrmerge to mitigate the issue by doing:
$ sudo apt install usrmerge
[Regression Potential]
* The bugfix to update to the correct path will work on either upgraded, or freshly installed systems. Currently sshguard is quite broken without sshguard firewall rules applied correctly. After installing this update, users may experience that sshguard is enforcing/blocking access, whilst previously it was very ineffective at doing so.
[Other Info]
* Original bug report
sshguard 2.3.1-1ubuntu1; focal
/lib/systemd/
ExecStartPre=
ExecStartPre=
ExecStopPost=
ExecStopPost=
iptables and ip6tables are now in /usr/sbin, not /sbin. So the sshguard chain never gets created/deleted.
sshg-fw-iptables assumes that this chain exists, so it fails to actually block any attacker:
Jun 23 22:54:18 fenrir sshguard[677248]: Attack from "192.0.2.1" on service 110 with danger 10.
Jun 23 22:54:18 fenrir sshguard[677248]: Blocking "192.0.2.1/32" for 122880 secs (3 attacks in 1 secs, after 11 abuses over 184099 secs.)
Jun 23 22:54:18 fenrir sshguard[1191669]: iptables: No chain/target/match by that name.
Jun 23 23:46:49 fenrir sshguard[1198650]: iptables: Bad rule (does a matching rule exist in that chain?).
Changed in sshguard (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
Changed in sshguard (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in sshguard (Ubuntu Focal): | |
status: | New → Confirmed |
importance: | Undecided → High |
status: | Confirmed → In Progress |
There should be several symlinks to make this work:
$ namei -l /sbin/iptables es/iptables iptables- legacy legacy- multi legacy- multi
f: /sbin/iptables
drwxr-xr-x root root /
lrwxrwxrwx root root sbin -> usr/sbin
drwxr-xr-x root root usr
drwxr-xr-x root root sbin
lrwxrwxrwx root root iptables -> /etc/alternativ
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root alternatives
lrwxrwxrwx root root iptables -> /usr/sbin/
drwxr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root sbin
lrwxrwxrwx root root iptables-legacy -> xtables-
-rwxr-xr-x root root xtables-
Are you missing any of the symlinks?
Thanks