Re: [Sshguard-users] sshguard crash

[Mij <mi...@bi...>]

Hi Leonid,

Thanks for your feedback on the blacklisting feature. I want to get it  
quickly out of the
experimental status as many people manifested primary interest in it.
Yet I cannot reproduce this crash. Please
1) fetch the version currently in svn
2) please compile without installing (installing strips debug symbols)
3) run the binary by hand from the src directory (mind the "-d"):

$ cd src
$ ./sshguard -d -a 2 -b 1:/var/cache/sshguard/blacklist

4) paste the messages you report causing crash, observe if it crashes

5) send your next messages in plain text

if it still crashes, you'd need to run sshguard under gdb:

$ gdb ./sshguard
run -d -a 2 -b 1:/var/cache/sshguard/blacklist

paste your stuff and when it crashes issue "backtrace", and send in the
output of that.


On Mar 9, 2009, at 8:22 , Leonid Shulov wrote:

> Hi,
>
> After below attack sshguard creshed:
> Mar  8 21:01:54 router sshd[23464]: Did not receive identification  
> string from 81.21.15.199
> Mar  8 21:01:55 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:13 router sshd[23466]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:13 router sshd[23466]: Invalid user staff from  
> 81.21.15.199
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for  
> >420secs: 2 failures over 379 seconds.
> Mar  8 21:08:14 router sshguard[23158]: Setting environment:  
> SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Mar  8 21:08:14 router sshguard[23158]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -I sshguard -s $SSHG_ADDR -j  
> DROP ;; *) exit -2 ;; esac": exited 0.
> Mar  8 21:08:14 router sshguard[23158]: First sight of offender  
> '81.21.15.199:4', adding to offenders list.
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshd[23468]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:15 router sshd[23468]: Invalid user sales from  
> 81.21.15.199
> Mar  8 21:08:15 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshguard[23158]: Looking for address  
> '81.21.15.199:4'...
> Mar  8 21:08:15 router sshguard[23158]: Not found.
> Mar  8 21:08:15 router sshguard[23158]: Blacklisting address  
> '81.21.15.199:4' after 1 abuses.
>
>
> Memory dump:
> router: # *** glibc detected *** /usr/local/sbin/sshguard: free():  
> invalid pointer: 0x0000000000615500 ***
> [snip]
>
> sshguard starts a command:
> /usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard  
> -a 2 -b 1:/var/cache/sshguard/blacklist &
>
>
> I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html 
> .
>
> sshguard is compiled on Debian lenny with libc6 version 2.7.
>
>
> Thanks,
>  --
> Leonid Shulov <Leo...@en...>
> Entropic Communications Israel