Menu
▾
▴
Re: [Sshguard-users] sshguard go to 100% cpu
|
From: Michel <mi...@do...> - 2009-01-15 13:10:14
|
Le mercredi 14 janvier 2009, Mij a écrit :
> Hello Michel,
>
> Sorry for overlooking this post, I'm actually very interested.
> To clarify your scenario: you have 2 instances of sshguard,
> one for the host, the other one for both jails. I guess both
> jails are logging to the same file, and you are monitoring that (?).
>
> Is it always the "jails" process to show this behavior? Do you see
> anything strange ending up in logs? Can you report sshguard's more
> verbose messages (do you have debug.log or similar?)?
>
> thanks
>
No, I usualy have only one sshguard running :
ps -aux | grep sshguard \
root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM 0:00.05 /usr/local/sbin/sshguard -w
I use syslog in the jails to log all auth.log on the host and the syslog.conf of the host have the lines :
auth.info;authpriv.info /var/log/auth.log
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
The last time the problem appear (from daily security mail) :
Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from 203.252.182.37
In the auth.log of the host (dedi2 is the host, dedi_? are the jails) :
Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive identification string from 216.127.160.82
Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 failures over 156 seconds.
Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after 690 seconds.
Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification string from 201.134.249.168
Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from 201.134.249.168
Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from 203.252.182.37
....
a lot of lines : >600 (1 every 2-3 seconds)
....
Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully [(a,p,s)=(3, 600, 1800)], now ready to scan.
Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from 203.252.182.37
Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from 203.252.182.37
And debug.0.log :
Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address 203.252.182.37
Jan 14 10:03:01 dedi2 last message repeated 2 times
Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tflush -t sshguard": exited 0.
Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
It look like sshguard is trarting twice on 10:02:56 ?
|
