[Sshguard-users] sshguard crash

[Leonid S. <Leo...@en...>]

Hi,

*After below attack sshguard creshed: *
Mar  8 21:01:54 router sshd[23464]: Did not receive identification 
string from 81.21.15.199
Mar  8 21:01:55 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:13 router sshd[23466]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:13 router sshd[23466]: Invalid user staff from 81.21.15.199
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for 
 >420secs: 2 failures over 379 seconds.
Mar  8 21:08:14 router sshguard[23158]: Setting environment: 
SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Mar  8 21:08:14 router sshguard[23158]: Run command "case $SSHG_ADDRKIND 
in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec 
/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; 
esac": exited 0.
Mar  8 21:08:14 router sshguard[23158]: First sight of offender 
'81.21.15.199:4', adding to offenders list.
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshd[23468]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:15 router sshd[23468]: Invalid user sales from 81.21.15.199
Mar  8 21:08:15 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshguard[23158]: Looking for address 
'81.21.15.199:4'...
Mar  8 21:08:15 router sshguard[23158]: Not found.
Mar  8 21:08:15 router sshguard[23158]: Blacklisting address 
'81.21.15.199:4' after 1 abuses.

*
Memory dump:
*router: # *** glibc detected *** /usr/local/sbin/sshguard: free(): 
invalid pointer: 0x0000000000615500 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5573990948]
/lib/libc.so.6(cfree+0x76)[0x7f5573992a56]
/usr/local/sbin/sshguard[0x4076d6]
/usr/local/sbin/sshguard[0x4079b7]
/usr/local/sbin/sshguard[0x405eb0]
/usr/local/sbin/sshguard[0x404586]
/usr/local/sbin/sshguard[0x404c74]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f557393b1a6]
/usr/local/sbin/sshguard[0x401ba9]
======= Memory map: ========
00400000-00415000 r-xp 00000000 fe:03 3153923                            
/usr/local/sbin/sshguard
00615000-00616000 rw-p 00015000 fe:03 3153923                            
/usr/local/sbin/sshguard
00616000-00618000 rw-p 00616000 00:00 0
0109c000-010c5000 rw-p 0109c000 00:00 0                                  
[heap]
40a84000-40a85000 ---p 40a84000 00:00 0
40a85000-41285000 rw-p 40a85000 00:00 0
7f556c000000-7f556c021000 rw-p 7f556c000000 00:00 0
7f556c021000-7f5570000000 ---p 7f556c021000 00:00 0
7f5573706000-7f557371c000 r-xp 00000000 08:02 7888                       
/lib/libgcc_s.so.1
7f557371c000-7f557391c000 ---p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391c000-7f557391d000 rw-p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391d000-7f5573a67000 r-xp 00000000 08:02 8125                       
/lib/libc-2.7.so
7f5573a67000-7f5573c66000 ---p 0014a000 08:02 8125                       
/lib/libc-2.7.so
7f5573c66000-7f5573c69000 r--p 00149000 08:02 8125                       
/lib/libc-2.7.so
7f5573c69000-7f5573c6b000 rw-p 0014c000 08:02 8125                       
/lib/libc-2.7.so
7f5573c6b000-7f5573c70000 rw-p 7f5573c6b000 00:00 0
7f5573c70000-7f5573c86000 r-xp 00000000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573c86000-7f5573e86000 ---p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e86000-7f5573e88000 rw-p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e88000-7f5573e8c000 rw-p 7f5573e88000 00:00 0
7f5573e8c000-7f5573ea8000 r-xp 00000000 08:02 8128                       
/lib/ld-2.7.so
7f5574096000-7f5574098000 rw-p 7f5574096000 00:00 0
7f55740a3000-7f55740a7000 rw-p 7f55740a3000 00:00 0
7f55740a7000-7f55740a9000 rw-p 0001b000 08:02 8128                       
/lib/ld-2.7.so
7fff7c093000-7fff7c0a8000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff7c1fe000-7fff7c1ff000 r-xp 7fff7c1fe000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
*
*
*sshguard starts a command:
*/usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard -a 
2 -b 1:/var/cache/sshguard/blacklist &


I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html.

sshguard is compiled on Debian lenny with libc6 version 2.7.


Thanks,

-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel