Ubuntu
sshguard package

sshguard no longer adds rule to INPUT chain (regression on upgrade)

Bug #1899765 reported by Malcolm Scott
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
sshguard (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

An Ubuntu 18.04 system with sshguard installed blocks ssh attacks by default, with no additional configuration required. After upgrading to Ubuntu 20.04, attacks no longer get blocked without further action by the user.

sshguard 1.7.1-1 on Ubuntu 18.04 used to add a rule to the iptables INPUT chain on startup (c/o "/usr/lib/sshguard/firewall enable") and remove it on shutdown.

sshguard 2.3.1-1ubuntu1.1 on Ubuntu 20.04 no longer does this. The role of /usr/lib/sshguard/firewall is now handled by ExecStartPre= lines in sshguard.service, and by the fw_init function in /usr/lib/x86_64-linux-gnu/sshg-fw-iptables. All this does is create an empty "sshguard" chain. No reference to this chain is added to the INPUT chain.

sshguard adds rules to this chain to drop packets from offending IP addresses, but nothing actually gets blocked as there is no rule directing any traffic at this chain.

For sshguard to function in 20.04 the user must themselves arrange for the relevant rule to be added to INPUT (e.g. "iptables -I INPUT -j sshguard" on boot). This change is not noted in the changelog, nor in any included documentation.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Malcom,

Can I make this bug public, so others can check if this is truly a regression?

Revision history for this message
Malcolm Scott (malcscott) wrote :

OK, if you're happy to publically disclose what might in some strange circumstances be a vulnerability (though of course nobody should be relying solely on sshguard for security).

Eduardo Barretto (ebarretto)
information type: Private Security → Public Security
Changed in sshguard (Ubuntu):
status: New → Confirmed
Revision history for this message
Tim K. (tkubnt) wrote :

No fixes for this bug? It seems like a pretty important security fix.

Revision history for this message
Tim K. (tkubnt) wrote :

Still not fixed in Ubuntu 22.04.1 LTS (jammy).

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.