Menu
▾
▴
Re: [Sshguard-users] sshguard go to 100% cpu
|
From: Mij <mi...@bi...> - 2009-01-17 10:57:44
|
Hello Michel, On Jan 15, 2009, at 13:31 , Michel wrote: > Le mercredi 14 janvier 2009, Mij a écrit : >> Hello Michel, >> >> Sorry for overlooking this post, I'm actually very interested. >> To clarify your scenario: you have 2 instances of sshguard, >> one for the host, the other one for both jails. I guess both >> jails are logging to the same file, and you are monitoring that (?). >> >> Is it always the "jails" process to show this behavior? Do you see >> anything strange ending up in logs? Can you report sshguard's more >> verbose messages (do you have debug.log or similar?)? >> >> thanks >> > > No, I usualy have only one sshguard running : > ps -aux | grep sshguard \ > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > 0:00.05 /usr/local/sbin/sshguard -w > > I use syslog in the jails to log all auth.log on the host and the > syslog.conf of the host have the lines : > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 so you're saying: 1) there is one syslog running in your system, collecting everything from host+jails to auth.log 2) one sshguard is configured to be given these auth.log lines and blocks through PF for everything > The last time the problem appear (from daily security mail) : > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > 203.252.182.37 here you don't mean that after these lines sshguard loops, do you? > In the auth.log of the host (dedi2 is the host, dedi_? are the > jails) : > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > identification string from 216.127.160.82 > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > failures over 156 seconds. > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > 690 seconds. > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > string from 201.134.249.168 > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > 201.134.249.168 > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > 203.252.182.37 > .... > a lot of lines : >600 (1 every 2-3 seconds) > .... > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > [(a,p,s)=(3, 600, 1800)], now ready to scan. > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > 203.252.182.37 > > > And debug.0.log : > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tdel -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > 203.252.182.37 > Jan 14 10:03:01 dedi2 last message repeated 2 times > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > Tadd -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tflush -t sshguard": exited 0. > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > It look like sshguard is trarting twice on 10:02:56 ? When that message occurs, sshguard is actually starting. This happens frequently for a restart (e.g. for log rotation) but there I don't see a "Got exit signal" message before. Do you see two instances at that point? If so, do they have the same parent and status? You can derive this answer with this command: ps axjh | grep -E 'sshguard|syslog' As a further curiosity: if you signal the "looped" instance with TSTP, does it remain looping? kill -s TSTP <pid_looped> after this command, do you see anything in the log like "Got STOP signal, suspending activity." ? > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
