sshguard fails to start thru systemctl

Hi,

I configured sshguard on SUSE LEAP 15 as per the instructions found here

https://en.opensuse.org/SDB:Install_and_configure_sshguard

. It fails to start at the boot time and later when I try to start it with systemctl.

I get these errors -

# systemctl status sshguard● sshguard.service - SSHGUARD provides automatic attack blocking
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2018-10-15 07:53:50 IST; 2min 51s ago
  Process: 1361 ExecStopPost=/usr/sbin/iptables -F sshguard (code=exited, status=4)
  Process: 1358 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=4)


Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
Oct 15 07:53:50 linux-e9ip systemd[1]: Stopped SSHGUARD provides automatic attack blocking.
Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Start request repeated too quickly.
Oct 15 07:53:50 linux-e9ip systemd[1]: Failed to start SSHGUARD provides automatic attack blocking.
Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:53:50 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
# systemctl start sshguard 
# systemctl status sshguard
● sshguard.service - SSHGUARD provides automatic attack blocking
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2018-10-15 07:57:01 IST; 1s ago
  Process: 2727 ExecStopPost=/usr/sbin/ip6tables -X sshguard (code=exited, status=0/SUCCESS)
  Process: 2726 ExecStopPost=/usr/sbin/iptables -X sshguard (code=exited, status=0/SUCCESS)
  Process: 2725 ExecStopPost=/usr/sbin/ip6tables -D INPUT -p tcp --dport $PORTS -j sshguard (code=exited, status=0/SUCCESS)
  Process: 2724 ExecStopPost=/usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard (code=exited, status=0/SUCCESS)
  Process: 2723 ExecStopPost=/usr/sbin/ip6tables -F sshguard (code=exited, status=0/SUCCESS)
  Process: 2722 ExecStopPost=/usr/sbin/iptables -F sshguard (code=exited, status=0/SUCCESS)
  Process: 2721 ExecStart=/usr/sbin/sshguard -a $ATTACK_TRESHOLD -p $RELEASE_TIMEOUT -s $FORGET_TIMEOUT -w $WHITELIST -b $BLACKLIST -l $MONITORED_LOGS (code=exited, status=64)
  Process: 2720 ExecStartPre=/usr/sbin/ip6tables -I INPUT 1 -p tcp --dport $PORTS -j sshguard (code=exited, status=0/SUCCESS)
  Process: 2719 ExecStartPre=/usr/sbin/iptables -I INPUT 1 -p tcp --dport $PORTS -j sshguard (code=exited, status=0/SUCCESS)
  Process: 2718 ExecStartPre=/usr/sbin/ip6tables -N sshguard (code=exited, status=0/SUCCESS)
  Process: 2717 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
 Main PID: 2721 (code=exited, status=64)


Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
Oct 15 07:57:01 linux-e9ip systemd[1]: Stopped SSHGUARD provides automatic attack blocking.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Start request repeated too quickly.
Oct 15 07:57:01 linux-e9ip systemd[1]: Failed to start SSHGUARD provides automatic attack blocking.                                                                                          
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.                                                                                                          
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.                                                                                                     


# journalctl -xe | grep sshguard
Oct 15 07:56:39 linux-e9ip systemd[1]: is_symlink_with_known_name(sshguard.service, sshguard.service) → 1
Oct 15 07:56:41 linux-e9ip systemd[1]: is_symlink_with_known_name(sshguard.service, sshguard.service) → 1
-- Subject: Unit sshguard.service has begun start-up
-- Unit sshguard.service has begun starting up.
-- Subject: Unit sshguard.service has finished start-up
-- Unit sshguard.service has finished starting up.
Oct 15 07:57:00 linux-e9ip sshguard[2676]: whitelist: unable to open input file /etc/sshguard/whitelist: Permission denied
Oct 15 07:57:00 linux-e9ip sshguard[2676]: Could not handle whitelisting for /etc/sshguard/whitelist.
Oct 15 07:57:00 linux-e9ip sshguard[2676]: usage: sshguard -v] -a thresh] -b thresh:file]
Oct 15 07:57:00 linux-e9ip sshguard[2676]:                 -f service:pid-file] -i pidfile] -l source] -p interval]
Oct 15 07:57:00 linux-e9ip sshguard[2676]:                 -s interval] -w address | file]
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
-- Subject: Unit sshguard.service has finished shutting down
-- Unit sshguard.service has finished shutting down.
-- Subject: Unit sshguard.service has begun start-up
-- Unit sshguard.service has begun starting up.
-- Subject: Unit sshguard.service has finished start-up
-- Unit sshguard.service has finished starting up.
Oct 15 07:57:00 linux-e9ip sshguard[2688]: whitelist: unable to open input file /etc/sshguard/whitelist: Permission denied
Oct 15 07:57:00 linux-e9ip sshguard[2688]: Could not handle whitelisting for /etc/sshguard/whitelist.
Oct 15 07:57:00 linux-e9ip sshguard[2688]: usage: sshguard -v] -a thresh] -b thresh:file]
Oct 15 07:57:00 linux-e9ip sshguard[2688]:                 -f service:pid-file] -i pidfile] -l source] -p interval]
Oct 15 07:57:00 linux-e9ip sshguard[2688]:                 -s interval] -w address | file]
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
-- Subject: Unit sshguard.service has finished shutting down
-- Unit sshguard.service has finished shutting down.
-- Subject: Unit sshguard.service has begun start-up
-- Unit sshguard.service has begun starting up.
-- Subject: Unit sshguard.service has finished start-up
-- Unit sshguard.service has finished starting up.
Oct 15 07:57:00 linux-e9ip sshguard[2699]: whitelist: unable to open input file /etc/sshguard/whitelist: Permission denied
Oct 15 07:57:00 linux-e9ip sshguard[2699]: Could not handle whitelisting for /etc/sshguard/whitelist.
Oct 15 07:57:00 linux-e9ip sshguard[2699]: usage: sshguard -v] -a thresh] -b thresh:file]
Oct 15 07:57:00 linux-e9ip sshguard[2699]:                 -f service:pid-file] -i pidfile] -l source] -p interval]
Oct 15 07:57:00 linux-e9ip sshguard[2699]:                 -s interval] -w address | file]
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:00 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
-- Subject: Unit sshguard.service has finished shutting down
-- Unit sshguard.service has finished shutting down.
-- Subject: Unit sshguard.service has begun start-up
-- Unit sshguard.service has begun starting up.
-- Subject: Unit sshguard.service has finished start-up
-- Unit sshguard.service has finished starting up.
Oct 15 07:57:01 linux-e9ip sshguard[2710]: whitelist: unable to open input file /etc/sshguard/whitelist: Permission denied
Oct 15 07:57:01 linux-e9ip sshguard[2710]: Could not handle whitelisting for /etc/sshguard/whitelist.
Oct 15 07:57:01 linux-e9ip sshguard[2710]: usage: sshguard -v] -a thresh] -b thresh:file]
Oct 15 07:57:01 linux-e9ip sshguard[2710]:                 -f service:pid-file] -i pidfile] -l source] -p interval]
Oct 15 07:57:01 linux-e9ip sshguard[2710]:                 -s interval] -w address | file]
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
-- Subject: Unit sshguard.service has finished shutting down
-- Unit sshguard.service has finished shutting down.
-- Subject: Unit sshguard.service has begun start-up
-- Unit sshguard.service has begun starting up.
-- Subject: Unit sshguard.service has finished start-up
-- Unit sshguard.service has finished starting up.
Oct 15 07:57:01 linux-e9ip sshguard[2721]: whitelist: unable to open input file /etc/sshguard/whitelist: Permission denied
Oct 15 07:57:01 linux-e9ip sshguard[2721]: Could not handle whitelisting for /etc/sshguard/whitelist.
Oct 15 07:57:01 linux-e9ip sshguard[2721]: usage: sshguard -v] -a thresh] -b thresh:file]
Oct 15 07:57:01 linux-e9ip sshguard[2721]:                 -f service:pid-file] -i pidfile] -l source] -p interval]
Oct 15 07:57:01 linux-e9ip sshguard[2721]:                 -s interval] -w address | file]
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Service hold-off time over, scheduling restart.
-- Subject: Unit sshguard.service has finished shutting down
-- Unit sshguard.service has finished shutting down.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Start request repeated too quickly.
-- Subject: Unit sshguard.service has failed
-- Unit sshguard.service has failed.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Unit entered failed state.
Oct 15 07:57:01 linux-e9ip systemd[1]: sshguard.service: Failed with result 'exit-code'.

Please let me know what I should do for fixing that.

As per the title of the page:

This article or section refers to the version ‘11.1’ and it is now obsolete!

The page was designed for openSUSE 11.1 and it’s horribly outdated due to massive changed to the firewall system (SuSEfirewall2 -> firewalld).

What makes things even worse is the package included with 15.0** cannot work at all **as it lacks /usr/lib/sshg-fw-firewalld file. There is a package in the home repositories for 2.1.0 which includes this file and thus facilitates a different way to configure the application.

This warrants a bug report.

I will try building a local package. Thank you.

I was able to get sshguard to run on OpenSuse Leap 15.1. This is a quick note on what the issue is and how I got it to work.

The primary issues for what yast installs not working are: 1. the script sshguard is installed in a directory it is not allowed to be executed in. 2. One config file is a mess 3. One config file is missing.

First I changed from Susefirewall2 (following others guides) to firewalld. I used the app you can download with yast to convert from one to the other and it successfully did so.

Then downloaded sshguard through yast if not done already. Now the harder part.

  1. copy sshguard from /usr/sbin to /usr/lib (I choose copy instead of move).

  2. edit /usr/lib/systemd/system/sshguard.service
    Change ExecStart from =/usr/sbin/sshguard to =/usr/lib/sshguard (rest of line is OK)
    Added in these two lines in [service]
    EnvironmentFile=-/etc/sshguard.conf
    ExecStartPre=-/usr/sbin/iptables -N sshguard (not sure if this is needed)
    added into [unit]
    After=firewalld.service
    #not sure if needed
    After=iptables.target
    After=ip6tables.target
    After=libvirtd.service
    Deleted all the other items about iptables and Susefirewall2 out of the file

  3. Create sshguard.conf from sshguard sample file in the tar ball for sshguard
    Then edited /etc/sshguard.conf.
    Only changes were to tell it what the correct logreader is and set the right subnet values

  4. It needs a whitelist file to run so I did this:
    touch /etc/sshguard/whitelist
    To get the system to accept the tweaks:

  5. systemctl daemon-reload

  6. systemctl start sshguard

  7. systemctl status sshguard

To see if it works use either of these two commands in a terminal window:
firewall-cmd --info-ipset=“sshguard4”
firewall-cmd --permanent --info-ipset=“sshguard4” (once something is permanently blocked)

Where I got the info to get this to work were from the following two resources:

A. Title is: How to protect SSH remote login in Fedora with SSHGuard and FirewallD
Discussed sshguard interaction with firewalld, configure of sshguard, how to download tar ball to get sample files and how to test. Mainly the site that moved me forward.
https://www.ctrl.blog/entry/how-to-sshguard-firewalld#sshguard-section-config

B. Site was used to confirm AppArmor settings
https://en.opensuse.org/SDB:Install_and_configure_sshguard

The people trying to break in know what sshguard defaults are, so you will likely need to tweak the defaults.

Jim

I would suggest a symbolic link, instead of a copy. That way, if “sshguard” is updated you won’t have to remember to repeat the copy.

Minor update. It is a apparmor that is preventing sshguard from running in /usr/sbin. I was able to get apparmor to let it run in that location, but it took numerous cycles of checking the apparmor logs and letting it auto repair to get it to run. Someone who knows apparmor likely can provide a better config that the auto repair.

I used aa-logprof after reading:
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.concept.html

I tried a Symbolic link but it would not run. Apparmor was blocking the script.

My install died, so I had to go back and redo all the files. So here is a better listing of configs needed to get sshguard working on Leap with firewalld.

I did a uninstall of sshguard and reinstalled it for a clean start.

I made these two entries in the /etc/sshguard.conf file:BACKEND="/usr/lib/sshg-fw-firewalld"
LOGREADER=“LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat”

My /usr/lib/systemd/system/sshguard.service file looks like (editing requires you to run “systemctl daemon-reload”):[Unit]
Description=SSHGUARD provides automatic attack blocking
After=network.target
After=firewalld.service

[Service]
EnvironmentFile=-/etc/sshguard.conf
ExecStart=/usr/sbin/sshguard -a $THRESHOLD -p $BLOCK_TIME -s $DETECTION_TIME -w $WHITELIST_FILE -b $BLACKLIST_FILE
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always

[Install]
WantedBy=multi-user.target

My appamor file /etc/apparmor/usr.sbin.sshguard looks like:

Last Modified: Tue Apr 2 22:12:23 2019

#include <tunables/global>

/usr/sbin/sshguard {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/dbus-session-strict>
#include <abstractions/nameservice>
#include <abstractions/python>

capability dac_override,
capability net_admin,

ptrace read peer=unconfined,

/bin/bash ix,
/usr/bin/basename mrix,
/usr/bin/firewall-cmd mrix,
/usr/bin/journalctl mrix,
/usr/bin/python3.6 ix,
/usr/lib/sshg-blocker mrix,
/usr/lib/sshg-fw-firewalld mrix,
/usr/lib/sshg-parser mrix,
/usr/sbin/ipset mrix,
/usr/sbin/iptables Ux,
owner /etc/sshguard.conf r,
owner /etc/sshguard/whitelist rw,
owner /proc//environ r,
owner /proc/
/sched r,
owner /proc/*/stat r,
owner /proc/cmdline r,
owner /proc/sys/kernel/random/boot_id r,
owner /run/sshguard.pid w,
owner /usr/bin/ r,
owner /usr/sbin/sshguard r,
owner /var/lib/sshguard/db/blacklist.db rw,
owner /var/log/** r,

}

There is also a file called /etc/sysconfig/sshguard, but I understand that was replaced with the sshguard.conf file.

You can also tell if it is running be running this command: systemctl status sshguard

Jim