Menu
▾
▴
Re: [Sshguard-users] sshguard go to 100% cpu
|
From: Michel <mi...@do...> - 2009-01-20 08:44:20
|
Le samedi 17 janvier 2009, Mij a écrit : > Hello Michel, > > On Jan 15, 2009, at 13:31 , Michel wrote: > > > Le mercredi 14 janvier 2009, Mij a écrit : > >> Hello Michel, > >> > >> Sorry for overlooking this post, I'm actually very interested. > >> To clarify your scenario: you have 2 instances of sshguard, > >> one for the host, the other one for both jails. I guess both > >> jails are logging to the same file, and you are monitoring that (?). > >> > >> Is it always the "jails" process to show this behavior? Do you see > >> anything strange ending up in logs? Can you report sshguard's more > >> verbose messages (do you have debug.log or similar?)? > >> > >> thanks > >> > > > > No, I usualy have only one sshguard running : > > ps -aux | grep sshguard \ > > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > > 0:00.05 /usr/local/sbin/sshguard -w > > > > I use syslog in the jails to log all auth.log on the host and the > > syslog.conf of the host have the lines : > > auth.info;authpriv.info /var/log/auth.log > > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 > > so you're saying: > 1) there is one syslog running in your system, collecting everything > from host+jails to auth.log Yes > 2) one sshguard is configured to be given these auth.log lines and > blocks through PF for everything Yes > > > The last time the problem appear (from daily security mail) : > > > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > here you don't mean that after these lines sshguard loops, do you? > > > > In the auth.log of the host (dedi2 is the host, dedi_? are the > > jails) : > > > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > > identification string from 216.127.160.82 > > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > > failures over 156 seconds. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > > 690 seconds. > > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > > string from 201.134.249.168 > > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > > 201.134.249.168 > > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > .... > > a lot of lines : >600 (1 every 2-3 seconds) > > .... > > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > > [(a,p,s)=(3, 600, 1800)], now ready to scan. > > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > > 203.252.182.37 > > > > > > And debug.0.log : > > > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tdel -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > > 203.252.182.37 > > Jan 14 10:03:01 dedi2 last message repeated 2 times > > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > > Tadd -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tflush -t sshguard": exited 0. > > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > > > It look like sshguard is trarting twice on 10:02:56 ? > > When that message occurs, sshguard is actually starting. This happens > frequently for a restart (e.g. > for log rotation) but there I don't see a "Got exit signal" message > before. Do you see two instances > at that point? Yes > If so, do they have the same parent and status? You can > derive this answer with this command: > > ps axjh | grep -E 'sshguard|syslog' > dedi2# ps axjh | grep -E 'sshguard|syslog' root 426 1 426 426 0 Ss ?? 3:30.50 /usr/sbin/syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198 root 746 1 746 746 0 SsJ ?? 1:07.35 /usr/sbin/syslogd -s root 1302 1 1302 1302 0 IsJ ?? 1:03.50 /usr/sbin/syslogd -s root 78143 1 74878 74878 0 R ?? 1358:09.42 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 82313 1 82313 82313 0 IsJ ?? 0:15.04 /usr/sbin/syslogd -s root 88115 426 88115 88115 0 Ss ?? 0:00.10 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 95765 95761 95764 95758 2 R+ p1 0:00.00 grep -E sshguard|syslog > As a further curiosity: if you signal the "looped" instance with TSTP, > does it remain looping? > kill -s TSTP <pid_looped> > after this command, do you see anything in the log like "Got STOP > signal, suspending activity." ? > > kill -s TSTP 78143 and it remain looping ! and nothing in messages nor in debug : Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment: SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. only a kill -9 78143 stop the loop ... |
