Menu
▾
▴
Re: [Sshguard-users] xtables lock
|
From: James H. <jam...@gm...> - 2015-03-26 00:08:29
|
I created a pull request with the suggested changes. In addition to waiting for the lock it includes improves start up time as it avoids reverse dns lookup on all blocked ips. I have been running with these changes for a while without issue. I agree if the table is locked most likely any other operation sshguard attempts will also fail. The question is should sshguard wait indefinitely to acquire the lock? I would suggest after a reasonably long timeout it should log the failure and enter a failed state by exiting. If sshguard was blocked for a significant period of time without warning one might assume they are still being actively protected when they are not. On Tue, Mar 24, 2015 at 7:39 PM, Kevin Zheng <kev...@gm...> wrote: > Hi James, > > Thanks for analyzing and reporting the issue. > > On 03/24/2015 16:19, James Harris wrote: > > But it doesn't look like that is enough. I suspect libvirtd has > > 'finished' starting up but has not completed the iptable changes it > > requires. What about adding "-w" to the iptables firwall commands? The > > downside is the command could block for a while. Should run_command() > > fork/exec and wait for a specific timeout before giving up on the > > command? Is blocking indefinitely acceptable, or is this all on deck for > > the libev rewrite? > > It doesn't sound like the xtables lock is held for a long time; if > you're feeling adventurous you can try adding "-w" (I can give you a > patch to test if you wish) and see what happens. > > If the firewall command blocks, SSHGuard will stop processing new log > entries until system() returns. On a practical note, if xtables is > really locked then returning immediately doesn't gain anything; the next > attack cannot be blocked, so we might as well wait. > > This would not be fixed by the libev rewrite, although sometime in the > distant future firewall commands may be executed in a separate process. > However, even this does not solve the underlying issue; although > SSHGuard will continue to run, nothing will be blocked. > > I'm not familiar with, nor do I run iptables, but it sounds like adding > "-w" doesn't have huge issues and makes sense. > > Thanks, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
