Re: [Sshguard-users] sshguard go to 100% cpu

[Mij <mi...@bi...>]

Hello Michel,

Sorry for overlooking this post, I'm actually very interested.
To clarify your scenario: you have 2 instances of sshguard,
one for the host, the other one for both jails. I guess both
jails are logging to the same file, and you are monitoring that (?).

Is it always the "jails" process to show this behavior? Do you see
anything strange ending up in logs? Can you report sshguard's more
verbose messages (do you have debug.log or similar?)?

thanks


On Dec 20, 2008, at 5:55 PM, Michel wrote:

> Hello,
>
> I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from  
> time to time sshguard go to 100% cpu.
>
> PID JID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME   WCPU  
> COMMAND
>  240    0  root                  1     132    0     1936K  1188K  
> RUN     31:03     98.34% sshguard
> .......
> .......
> 13756  0  root                  4       20    0     1936K  1212K  
> kserel   0:01      0.00% sshguard
> ......
>
>
> When this occur sshguard continue to protect the host :
>
> Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3  
> failures over 1 seconds.
> Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3  
> failures over 2 seconds.
> Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3  
> failures over 163 seconds.
> Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3  
> failures over 3 seconds.
> Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3  
> failures over 2 seconds.
> Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3  
> failures over 3 seconds.
>
> but dont protect the jails any more :
>
> Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from  
> 121.134.8.168
> Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from  
> 121.134.8.168
> Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from  
> 121.134.8.168
> Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from  
> 121.134.8.168
> Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from  
> 121.134.8.168
> Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from  
> 121.134.8.168
> Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from  
> 121.134.8.168
> Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from  
> 121.134.8.168
> Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from  
> 121.134.8.168
>
> I have to kill the 100% sshguard to return to "normal" behaviour.
>
> Any help ?
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users