Menu
▾
▴
Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD
|
From: Keven T. <byt...@sh...> - 2009-01-14 21:13:35
|
Nope, that's not it. Cron is setup to run newsyslog every hour, but SSHguard terminates randomly "whenever". As I've said, for whatever reason fgets is returning NULL and breaking out of the main loop. The signal handler for sigint/sigfin isn't being called here as it would be if syslogd or some other program was sending sshguard a sigint. I'm not sure if this is a bug with fgets, OpenBSD, or syslogd, but I'll try and do some debugging today and figure it out. -KT On Jan 14, 2009, at 12:01 PM, Mij wrote: > Hello Keven, > > Do you have log rotation? Log rotation causes processes to be signaled > for opening the new log files. This is often the case causing those > message > in log files. > > > On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote: > >> Okay, I just did some quick debugging here. >> >> It appears like SSHguard is exiting the main loop in sshguard.c. For >> whatever reason, on OpenBSD 4.4, the line: >> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) >> >> Is indeed returning NULL. This causes the loop to break and exit(0) >> is >> called, resulting in the "Got exit signal" message. According to >> google (and I'm not a programmer), this is caused either by fgets >> encountering EOF or some other error. >> >> Any ideas to as why this is occurring? >> >> -KT >> >> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote: >> >>> Greetings to all. >>> >>> I've been trying to get SSHguard running *reliably* on several >>> OpenBSD >>> 4.4 boxes. They all exhibit the same problem. >>> >>> I've installed sshguard (both 1.4-rc2 and svn) and have it currently >>> running as root (though I doubt this has anything to do with the >>> problem) via Syslog. The relevant syslog.conf line is: >>> auth.info;auth.priv |exec /usr/sbin/sshguard >>> >>> SSHguard launches as expected when there's authlog traffic, and >>> works >>> just fine. I can hammer the box from the LAN and SSHguard adds the >>> IP >>> addresses to the pf table. That's all fine and great. >>> >>> The problem is, that SSHguard constantly "exits". I'm not sure if >>> this >>> is a SSHguard problem or something OpenBSD related, because I can't >>> find anything in syslog's man page about this and there's nothing in >>> my crontabs that would otherwise interfere with SSHguard. >>> >>> What happens is that every ~5-20 minutes (it seems completely >>> random?), SSHguard prints the following in authlog: >>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488 >>> seconds." >>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing >>> blocked >>> addresses and exiting..." >>> >>> 10.0.1.140 is one of /several/ systems I used to test SSHguard- >>> there >>> were about ~10 IP's in the blocklist in this case, the latest one >>> was >>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once >>> again >>> exited for no apparent reason. Obviously, when SSHguard exited, the >>> entire table was flushed. There's no way the last IP that was >>> blocked >>> had exceeded 420 seconds prior to SSHguard "getting an exit signal". >>> >>> I'm not sure why it does this. Once SSHguard cleanly exits (due to >>> the >>> above "signal"), syslogd restarts it as soon as there's authlog >>> traffic again and SSHguard runs anywhere from 5-20 minutes before >>> exiting. Rinse, repeat. It will do this all day, basically. >>> >>> I have no idea if this is by design, or what is going on here. Any >>> ideas? >>> >>> Cheers, >>> -KT >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by: >>> SourcForge Community >>> SourceForge wants to tell your story. >>> http://p.sf.net/sfu/sf-spreadtheword >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by: >> SourcForge Community >> SourceForge wants to tell your story. >> http://p.sf.net/sfu/sf-spreadtheword >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
