Menu
▾
▴
[Sshguard-users] sshguard goes into a loop after log rollover on netbsd-4
|
From: Greg A. W. <wo...@pl...> - 2011-10-03 20:30:07
|
SSHGuard-1.5 seems to go into an infinite loop at some point, when a log
file it is watching with "-l" is archived and re-created.
It does not appear to be reading new entries from the log, and totally
missed an SSH attack, plus secondary manual testing.
This is on NetBSD-4. HAVE_KQUEUE is defined.
I've reconfigured to drive it on STDIN directly from syslogd for now,
but I'd rather have it watch the log file as a daemon than have to feed
it from syslogd. I guess I could use "tail -F" which is reliable and
working on NetBSD (and which also uses kqueue). Perhaps SSHGuard has
too many features and really should rely on something like "tail -F",
though unfortunately "tail -F" only works on one file at a time on
many(most/all?) platforms.
BTW, you'll see that after I detach from it with gdb the CPU use drops,
but still does not go down to a reasonable level, and it still continues
to ignore new entries in the log file.
12:38 [2267] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 99.7 0.0 61792 1088 ? Rsa 8:12PM 985:56.51 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2268] # gdb /usr/local/sbin/sshguard 20463
[GDB will not be able to debug user-mode threads: Service unavailable]
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
Attaching to program: /usr/local/sbin/sshguard, process 20463
Reading symbols from /usr/lib/libpthread.so.0...done.
Loaded symbols for /usr/lib/libpthread.so.0
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
0xbbb22937 in kevent () from /usr/lib/libc.so.12
(gdb) where
#0 0xbbb22937 in kevent () from /usr/lib/libc.so.12
#1 0x0804c742 in logsuck_getline (buf=0xbfbfdcac "", buflen=1000, from_previous_source=false, whichsource=0xbfbfe0d0)
at sshguard_logsuck.c:240
#2 0x08049d6f in main (argc=74524, argv=0xbbbed400) at sshguard.c:255
(gdb) cont
Continuing.
^?
Program received signal SIGINT, Interrupt.
0xbbb22937 in kevent () from /usr/lib/libc.so.12
(gdb) where
#0 0xbbb22937 in kevent () from /usr/lib/libc.so.12
#1 0x0804c742 in logsuck_getline (buf=0xbfbfdcac "", buflen=1000, from_previous_source=false, whichsource=0xbfbfe0d0)
at sshguard_logsuck.c:240
#2 0x08049d6f in main (argc=74524, argv=0xbbbed400) at sshguard.c:255
(gdb) quit
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/local/sbin/sshguard, process 20463
12:39 [2269] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 40.8 0.0 61792 1084 ? Rsa 8:12PM 986:18.74 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2270] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 43.7 0.0 61792 1084 ? Rsa 8:12PM 986:20.04 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2271] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 49.0 0.0 61792 1084 ? Rsa 8:12PM 986:21.64 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
--
Greg A. Woods
+1 250 762-7675 RoboHack <wo...@ro...>
Planix, Inc. <wo...@pl...> Secrets of the Weird <wo...@we...>
|
