517628 – app-admin/sshguard is very slow to initialize iptables

Bug 517628 - app-admin/sshguard is very slow to initialize iptables

Summary: app-admin/sshguard is very slow to initialize iptables

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Netmon project

URL:	http://sourceforge.net/p/sshguard/bugs/
Whiteboard:
Keywords:	NeedPatch

Depends on:
Blocks:

Reported:	2014-07-20 23:55 UTC by c.cboldt
Modified:	2016-10-14 11:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Speed iptables initialization; catch addition sshd intrusion attempts (iptables-init.patch,1.25 KB, patch) 2014-07-21 00:52 UTC, c.cboldt	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description c.cboldt 2014-07-20 23:55:56 UTC

sshguard was tking several minutes to start up, and on running in debug mode, I noticed a slow processing of reverse lookups as "iptables -L" was run.

If the iptables initialization command is changed to "iptables -n -L sshguard", there are two benefits.  Initialization is a snap, and there is a check for the necessary "sshguard" chain in the iptables ruleset.  That second benefit might help users who thing they have sshguard setup (it starts okay), only to run into an error when sshguard detects an action-worthy incident.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-07-21 00:18:58 UTC

You really ought to report this upstream.

Comment 2 c.cboldt 2014-07-21 00:40:02 UTC

(In reply to Jeroen Roovers from comment #1)
> You really ought to report this upstream.

I did, but not via sourceforge.  The report was submitted via http://www.sshguard.net/

I'll visit the sourceforge link next.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2014-07-21 00:52:27 UTC

(In reply to c.cboldt from comment #2)
> (In reply to Jeroen Roovers from comment #1)
> > You really ought to report this upstream.
> 
> I did, but not via sourceforge.  The report was submitted via
> http://www.sshguard.net/

I looked in vain for a way to communicate it through there.

> I'll visit the sourceforge link next.

I doubt it is needed, then.

Comment 4 c.cboldt 2014-07-21 00:52:35 UTC

Created attachment 381182 [details, diff]
Speed iptables initialization; catch addition sshd intrusion attempts

Patch the iptables initialization command to `iptables -n -L sshguard`

Patch one of the regex strings to catch both ...
Failed password for root from 60.173.26.53 port 2944 ssh2
Failed password for invalid user root from 60.173.26.53 port 2944 ssh2

Comment 5 c.cboldt 2014-07-21 00:59:16 UTC

(In reply to Jeroen Roovers from comment #3)
> (In reply to c.cboldt from comment #2)
> > (In reply to Jeroen Roovers from comment #1)
> > > You really ought to report this upstream.
> > 
> > I did, but not via sourceforge.  The report was submitted via
> > http://www.sshguard.net/
> 
> I looked in vain for a way to communicate it through there.
> 
> > I'll visit the sourceforge link next.
> 
> I doubt it is needed, then.

Belt and suspenders.  I don't know which entity is more responsive.

I also had an issue with the regex for sshd (as you'll see from the patch).  The sshguard.net site has a place to provide suggestions for new regex's.  I used that to suggest the change to the iptables initialization command.  A bug report has been dropped at sourceforge as well.

I have no problem with this bug being closed, particularly if there is no intention to fix it from the distribution side.  I've taken care of the issues for my purposes, with the patch and a local ebuild.

Comment 6 c.cboldt 2016-10-14 11:10:46 UTC

I support closing this bug. I've likewise taken care of the issues for my purposes.  In my case, by abandoning sshguard and composing a homebrew dynamic firewall. There is no sense to leave this open as a Gentoo bug.