Menu
▾
▴
Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed
|
From: Robert S <rob...@gm...> - 2010-04-14 01:51:19
|
Thanks.
This seems to be an intermittent problem and can be difficult to
reproduce. It usually starts some time after I have invoked the
sshguard command.
I am running sshguard in a screen session:
# export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
After a while, the logging seems to stop happening:
Reading a token: --accepting rule at line 133 (" not allowed because
none of user's groups are listed in AllowGroups")
Next token is token SSH_NOTALLOWEDSUFF ()
Shifting token SSH_NOTALLOWEDSUFF ()
Entering state 71
Reducing stack by rule 32 (line 275):
$1 = token SSH_NOTALLOWEDPREF ()
$2 = nterm addr ()
$3 = token SSH_NOTALLOWEDSUFF ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 263):
$1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
$1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
$1 = token SYSLOG_BANNER_PID ()
$2 = nterm logmsg ()
< nothing happens from here on even if I try to log in again using ssh >
If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
happens to the log output.
"top" does not reveal excess use of CPU.
Here is lsof output
# lsof |grep sshguard
sshguard 6376 root cwd DIR 3,6 4096
735903 /root
sshguard 6376 root rtd DIR 3,6 4096
2 /
sshguard 6376 root txt REG 3,6 371826
757808 /root/sshguard/sshguard
sshguard 6376 root mem REG 3,6 1399984
654712 /lib/libc-2.10.1.so
sshguard 6376 root mem REG 3,6 137284
654892 /lib/libpthread-2.10.1.so
sshguard 6376 root mem REG 3,6 123168
654880 /lib/ld-2.10.1.so
sshguard 6376 root 0u CHR 136,1 0t0
4 /dev/pts/1
sshguard 6376 root 1w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 2w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 3r REG 3,8 141517
31962 /var/log/auth.log
sshguard 6376 root 4r FIFO 0,5 0t0
14686 pipe
sshguard 6376 root 5w FIFO 0,5 0t0
14686 pipe
tee 6377 root 3w REG 3,6 37094
703149 /tmp/sshguard.log
Here is the ps and gdb output:
# ps ax |grep sshguard
6376 pts/1 Sl+ 0:00 sshguard/sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist
6377 pts/1 S+ 0:00 tee /tmp/sshguard.log
6754 pts/0 R+ 0:00 grep --colour=auto sshguard
# gdb
warning: Can not parse XML syscalls information; XML support was
disabled at compile time.
GNU gdb (Gentoo 7.0 p2) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
(gdb) attach 6376
Attaching to process 6376
Reading symbols from /root/sshguard/sshguard...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f997084d910 (LWP 6380)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
(gdb) break
Breakpoint 1 at 0x7f9970bb593f
(gdb) backtrace full
#0 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1 0x0000000000403e56 in procauth_ischildof (service_code=<value
optimized out>, pid=6453) at sshguard_procauth.c:210
retA = <value optimized out>
pidA = <value optimized out>
ps2grep = {4, 5}
pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
retB = <value optimized out>
pidB = <value optimized out>
#2 procauth_isauthoritative (service_code=<value optimized out>,
pid=6453) at sshguard_procauth.c:138
No locals.
#3 0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
yystate = <value optimized out>
yyn = 0
yyresult = <value optimized out>
yyerrstatus = 0
yytoken = 16
yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
32665, 0, -11334, 28811,
32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
28858, 32665, 0, -8081,
28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
0, -2368, 14210, 32767, 0,
14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
-2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
0, 24032, 101, 0, 0, 19547,
28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
0, 0, 0, 138, 0, 0, 0, 0,
0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
32767, 0, -23664, 100, 0, 0,
25386, 28812, 32665, 0}
yyss = 0x7fff3782f600
yyssp = 0x7fff3782f604
yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
bounds>, num = 6453}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
num = 1891249760}, {
str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
{str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
str = 0x112 <Address 0x112 out of bounds>, num = 274},
{str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
"\314c", num = 931328001}, {
str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
{str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
num = 0}, {
str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
out of bounds>,
num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
0x70ba2e60 out of bounds>,
num = 1891249760}, {str = 0x0, num = 0}, {str =
0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
{str = 0x7fff3782f7ac "",
num = 931329964}, {str = 0x7f9970ba2e60 "", num =
1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
6544752}, {
str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
"H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
"\020pf", num = 6540288}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
{
str = 0x63f930 "\340of", num = 6551856}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
{str = 0x0, num = 0}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
"", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
{str = 0x63d208 "",
num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
of bounds>, num = -1}, {str = 0x7f99708f6eb0
"H\203\304\030\303ff.\017\037\204",
num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x63d110 "", num = 6541584}, {
str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
str = 0x7f99709029ac
"I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
num = 1888496044}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
---Type <return> to continue, or q <return> to quit---
str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
of bounds>, num = 4784}, {
str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
4}, {str = 0x7fff3782f32c "",
num = 931328812}, {str = 0x7fff3782f210 "", num =
931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x7fff3782f300 "", num = 931328768}, {
str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
931329964}, {
str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
0x7fff3782f720 "\b\003",
num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
<Address 0x2 out of bounds>, num = 2}, {
str = 0x7f99708a1a8f
"\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
{str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
931329243}, {
str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f330 "", num = 931328816}, {str =
0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
931328752}, {
str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
= 931328848}, {
str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
"p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
= 0x0, num = 0}, {
str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
"\340\241d", num = 931316240}, {
str = 0x7fff3782c230 "\002", num = 931316272}, {str =
0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
{str = 0x63c440 "\220\324c",
num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
num = 0}, {
str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
0x2 <Address 0x2 out of bounds>, num = 2}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
0}, {str = 0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
= 0}, {str = 0x0, num = 0}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {str = 0x0, num = 0}, {str =
0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
<Address 0x2 out of bounds>,
num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
-1313391531}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f9970850328
"U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
\241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
out of bounds>, num = 21}, {
str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
str = 0x7fff3782f518 "`\200\373p\231\177", num =
931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x0, num = 0}, {
str = 0x7fff3782f4b0 "", num = 931329200}, {str =
0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
0x7fff3782f470 "`\030\272p\231\177",
num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
= 6742320}, {
str = 0x63b350 "\360me", num = 6533968}, {str =
0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
= 0x7fff3782c380 "\340\343f",
num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
= 0x7fff3782c3b0 "\001",
num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
6535264}, {
str = 0x400000001 <Address 0x400000001 out of bounds>, num
= 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
1891244128}, {
str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
0x400 <Address 0x400 out of bounds>, num = 1024}, {
str = 0x7f99708bd6f5
"H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
1888212725}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {
str = 0x7f99708be06f
"\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
num = 1888215151}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
= 10}, {str = 0x0, num = 0},
{str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
2090683713}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {
str = 0x7f9970ba7c9c
"AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
<return> to continue, or q <return> to quit---
254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
"X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
of bounds>, num = 1}, {
str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
{str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
0x4 <Address 0x4 out of bounds>,
num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
bounds>, num = 1038094023}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f99708501ec
"\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
\301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
str = 0x7f9900000007 <Address 0x7f9900000007 out of
bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
num = 16220219}, {
str = 0x7fff3782f570 "", num = 931329392}, {str =
0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
0x7f9970851c10 "",
num = 1887771664}, {str = 0x0, num = 0}, {str =
0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
"", num = 1895684888}, {
str = 0x400f08 "realloc", num = 4198152}, {str =
0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
4197480}, {
str = 0x500000000 <Address 0x500000000 out of bounds>, num
= 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
475}, {
str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
1895687000}, {
str = 0x7fff3782f700 "d\020\272p\231\177", num =
931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
931329736}, {
str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
1038094023}, {
str = 0x7f9970911889
"H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
= 1888557193}, {str = 0x0, num = 0}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
bounds>, num = 1}}
yyvs = 0x7fff3782efc0
yyvsp = 0x7fff3782efd0
yystacksize = 200
yyval = <value optimized out>
yylen = 2
#4 0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
optimized out>) at attack_parser.y:379
ret = <value optimized out>
#5 0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
tid = 140296994478352
retv = <value optimized out>
source_id = 4100918702
buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
122.227.43.37 not allowed because none of user's groups are listed in
AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
\371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
HTH ;-)
|
