Your message dated Wed, 10 Nov 2021 17:19:31 +0000
with message-id <[email protected]>
and subject line Bug#919525: fixed in sshguard 2.4.2-1
has caused the Debian Bug report #919525,
regarding race condition between sshguard and ufw on startup
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
919525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919525
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sshguard
Version: 1.7.1-1
On systems with ufw (uncomplicated firewall, a popular firewall
manager/frontend) *and* sshguard installed, a race condition exists between
sshguard's firewall setup script and ufw.
As I understand it, ufw calls iptables-restore on multiple files on startup to
create and populate its various chains.
If, during one of those calls, /usr/lib/sshguard/firewall is called to add the
sshguard chain, the iptable-restore call fails and ufw cracks open.
This has bitten me a few times, leaving remote boxes unreachable over the
network after a reboot since ufw was unable to restore all of its rules.
sshguard's systemd service file seems to have an After= directive which should
prevent this, as ufw specifies a Before=network.target directive.
[Unit]
Description=SSHGuard
Documentation=man:sshguard(8)
After=network.service
Before=sshd.service
Since none of my Debian systems have a network.service file, I tried changing
"After=network.service" to "After=network.target", which did the trick:
sshguard is now started well after ufw, and after tens of reboots I haven't seen the issue come up
again.
Given my limited systemd knowledge, this may or may not be the best fix, but I
believe something along these lines should be changed and a new package
published.
This is on Debian 9.6 (latest at the time of this writing), all packages up to
date.
Cheers,
-Simon
--
--
Simon Vetter
Embedded Software Engineer - EDF store & forecast
Phone: +33 7 83 40 26 11
--- End Message ---
--- Begin Message ---
Source: sshguard
Source-Version: 2.4.2-1
Done: Julián Moreno Patiño <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sshguard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julián Moreno Patiño <[email protected]> (supplier of updated sshguard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Nov 2021 16:55:33 -0500
Source: sshguard
Architecture: source
Version: 2.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Julián Moreno Patiño <[email protected]>
Changed-By: Julián Moreno Patiño <[email protected]>
Closes: 919525 930866 983203
Changes:
sshguard (2.4.2-1) unstable; urgency=medium
.
* New upstream release. (Closes: #919525, #930866, #983203)
* debian/copyright, Extend copyright holders years.
+ Update upstream copyright.
* debian/compat, Remove file, using virtual package instead.
* debian/rules, Install lib scripts in libexec.
+ Remove sed in conf file, Multiarch now is not necessary.
* debian/upstream/metadata, Update upstream metadata.
* debian/control, Add virtual package debhelper-compat 13.
+ Add Rules-Requires-Root to no.
+ Bump Standards-Version to 4.6.0.1 (no changes).
+ Add Pre-Depends field.
* debian/sshguard.conf.linux, Adjust path to libexec.
* debian/watch, Use version 4.
Checksums-Sha1:
a5281b18f55c193d1aed5b2176571a926e7ca61c 1878 sshguard_2.4.2-1.dsc
1f254887355bd6523db2791f48a525856623da40 835431 sshguard_2.4.2.orig.tar.gz
41127ae179b966c01862c5ee628e3cb97a8670c6 7304 sshguard_2.4.2-1.debian.tar.xz
072871df8fd48c0a7293ef654a0f090f67597586 5651 sshguard_2.4.2-1_source.buildinfo
Checksums-Sha256:
c1c05b5c02862a335896cf5b08223301719025dd6c72b075a50a08f59090987f 1878
sshguard_2.4.2-1.dsc
2770b776e5ea70a9bedfec4fd84d57400afa927f0f7522870d2dcbbe1ace37e8 835431
sshguard_2.4.2.orig.tar.gz
3e2df814fa7904d51504f29971ae5d1158aab9be73540d4259b3c5ee4aa57f27 7304
sshguard_2.4.2-1.debian.tar.xz
cdc210ecd1ef1a11b7ba4f3c1a23e6961c7b87beb5fb2818585abb0a7768d84d 5651
sshguard_2.4.2-1_source.buildinfo
Files:
75661d09bf996263ac34166699f3965c 1878 net optional sshguard_2.4.2-1.dsc
0f83f5e7e1b197fb3bd4e9dfe9e601e6 835431 net optional sshguard_2.4.2.orig.tar.gz
2167a329b37b2e9fcb30c01ff3eea67a 7304 net optional
sshguard_2.4.2-1.debian.tar.xz
f3571703ca2b06eae3ad5528ab98cd19 5651 net optional
sshguard_2.4.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEwsiQTjFM2PoEHZsA1f38FWFov2AFAmGL+pcSHGp1bGlhbkBk
ZWJpYW4ub3JnAAoJENX9/BVhaL9gUnUP/2RsZx62QNdfeLFMu0Yswvx4lssN70ls
TL5sFuK3GXf5NuU1DwRbVYRv1LOZG0eGFIDH9X7q9kZRg/ws8zXdfCHDZ8m2lA9V
Ic7AF9slqOs3gCz8+EXzv9rqJtOM0C2JjWOwXCRExpi2+i+VBbQVGlnNGFUR5y8e
+c3BV6JPNrokgsv4bujrDvX46RWj5XbaxsLAHq4RoaU7QCsNuFlaWTCoewLFBxF0
IxMjcJfSD/RbML56VZWUY9pUZkOFug+RGvga34ny+gPp0kdXSZ1GBtNzPJKhjSlH
rJaFn1+AG0T5vNpypqzDGxot9cr61lwYS1GrEdyUrwPw+2aT3xxONHULbSvos0Ab
8fkRrZ9dPS4SqZljVS2GbUgkQqTnZzf7WPErSHVstm2n2GCPooYZVgFku/vbfxPw
ThGUk0r8rGqmUiuCRO30qPfLKA5P1YiddX8dkYREo0feNQiD6RKRImmbQ9Ww3YMw
ENUIoKRi/w0TaG7jDAyBglEvm6GF5GNAd+WXimFY6i7LtOe/J0ThhFFdCdttbX/y
+tx/L2eKzv1ZqmLl75r3cCBlTvcIBO/hjODtrfI0qG1NWtF1DxVlp5AWBp3m218u
RzNINBITka0JjG4DmZesre/mNwwwCShV3oSwBfGIdHnLwpF8+98B+Sy8h9L44DXx
7F3dfG+tGipZ
=5EA7
-----END PGP SIGNATURE-----
--- End Message ---
