| 2020-06-23 22:57:58 |
Malcolm Scott |
bug |
|
|
added bug |
| 2020-06-23 23:45:16 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2020-06-23 23:45:17 |
Seth Arnold |
bug |
|
|
added subscriber Ubuntu Bugs |
| 2020-06-23 23:46:45 |
Seth Arnold |
sshguard (Ubuntu): status |
New |
Incomplete |
|
| 2020-06-24 00:38:53 |
Seth Arnold |
sshguard (Ubuntu): status |
Incomplete |
New |
|
| 2020-06-24 08:11:01 |
Dimitri John Ledkov |
sshguard (Ubuntu): status |
New |
Confirmed |
|
| 2020-06-24 10:53:40 |
Dimitri John Ledkov |
description |
sshguard 2.3.1-1ubuntu1; focal
/lib/systemd/system/sshguard.service has:
ExecStartPre=-/sbin/iptables -N sshguard
ExecStartPre=-/sbin/ip6tables -N sshguard
ExecStopPost=-/sbin/iptables -X sshguard
ExecStopPost=-/sbin/ip6tables -X sshguard
iptables and ip6tables are now in /usr/sbin, not /sbin. So the sshguard chain never gets created/deleted.
sshg-fw-iptables assumes that this chain exists, so it fails to actually block any attacker:
Jun 23 22:54:18 fenrir sshguard[677248]: Attack from "192.0.2.1" on service 110 with danger 10.
Jun 23 22:54:18 fenrir sshguard[677248]: Blocking "192.0.2.1/32" for 122880 secs (3 attacks in 1 secs, after 11 abuses over 184099 secs.)
Jun 23 22:54:18 fenrir sshguard[1191669]: iptables: No chain/target/match by that name.
Jun 23 23:46:49 fenrir sshguard[1198650]: iptables: Bad rule (does a matching rule exist in that chain?). |
[Impact]
* sshguard.service does not start correctly on systems upgraded from bionic to focal.
* sshguard.service hardcodes paths to iptables binary. However, said path has changed in focal+ in the iptables package.
* This issue impacts installations of bionic that upgrade to focal, but not new installs of focal. Newly installed focal systems have usr-merge feature, which all binaries accessible from either / or /usr prefix. This is not the case yet, when upgrading from bionic.
[Test Case]
* Install bionic
* Install sshguard, check that it starts
* dist-upgrade to focal
* Check that sshguard runs and that iptables rules are updated
[Workaround]
* Users can convert their systems to usrmerge to mitigate the issue by doing:
$ sudo apt install usrmerge
[Regression Potential]
* The bugfix to update to the correct path will work on either upgraded, or freshly installed systems. Currently sshguard is quite broken without sshguard firewall rules applied correctly. After installing this update, users may experience that sshguard is enforcing/blocking access, whilst previously it was very ineffective at doing so.
[Other Info]
* Original bug report
sshguard 2.3.1-1ubuntu1; focal
/lib/systemd/system/sshguard.service has:
ExecStartPre=-/sbin/iptables -N sshguard
ExecStartPre=-/sbin/ip6tables -N sshguard
ExecStopPost=-/sbin/iptables -X sshguard
ExecStopPost=-/sbin/ip6tables -X sshguard
iptables and ip6tables are now in /usr/sbin, not /sbin. So the sshguard chain never gets created/deleted.
sshg-fw-iptables assumes that this chain exists, so it fails to actually block any attacker:
Jun 23 22:54:18 fenrir sshguard[677248]: Attack from "192.0.2.1" on service 110 with danger 10.
Jun 23 22:54:18 fenrir sshguard[677248]: Blocking "192.0.2.1/32" for 122880 secs (3 attacks in 1 secs, after 11 abuses over 184099 secs.)
Jun 23 22:54:18 fenrir sshguard[1191669]: iptables: No chain/target/match by that name.
Jun 23 23:46:49 fenrir sshguard[1198650]: iptables: Bad rule (does a matching rule exist in that chain?). |
|
| 2020-06-24 10:54:41 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Focal |
|
| 2020-06-24 10:54:41 |
Dimitri John Ledkov |
bug task added |
|
sshguard (Ubuntu Focal) |
|
| 2020-06-24 10:55:22 |
Dimitri John Ledkov |
sshguard (Ubuntu): status |
Confirmed |
Fix Committed |
|
| 2020-06-24 10:55:24 |
Dimitri John Ledkov |
sshguard (Ubuntu Focal): status |
New |
Confirmed |
|
| 2020-06-24 10:55:26 |
Dimitri John Ledkov |
sshguard (Ubuntu Focal): importance |
Undecided |
High |
|
| 2020-06-24 10:56:41 |
Dimitri John Ledkov |
sshguard (Ubuntu Focal): status |
Confirmed |
In Progress |
|
| 2020-06-24 10:56:48 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2020-06-24 18:05:57 |
Launchpad Janitor |
sshguard (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2020-06-30 17:44:03 |
Brian Murray |
sshguard (Ubuntu Focal): milestone |
|
ubuntu-20.04.1 |
|
| 2020-06-30 17:45:02 |
Brian Murray |
sshguard (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2020-06-30 17:45:06 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2020-06-30 17:45:11 |
Brian Murray |
tags |
|
verification-needed verification-needed-focal |
|
| 2020-08-11 14:52:27 |
Toni Förster |
tags |
verification-needed verification-needed-focal |
verification-done-focal |
|
| 2020-08-11 17:58:24 |
Launchpad Janitor |
sshguard (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2020-08-11 17:58:28 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
