Menu
▾
▴
sshguard-users
|
From: Michel <mi...@do...> - 2008-12-20 16:55:27
|
Hello, I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from time to time sshguard go to 100% cpu. PID JID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 240 0 root 1 132 0 1936K 1188K RUN 31:03 98.34% sshguard ....... ....... 13756 0 root 4 20 0 1936K 1212K kserel 0:01 0.00% sshguard ...... When this occur sshguard continue to protect the host : Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3 failures over 1 seconds. Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3 failures over 2 seconds. Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3 failures over 163 seconds. Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3 failures over 3 seconds. Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3 failures over 2 seconds. Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3 failures over 3 seconds. but dont protect the jails any more : Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from 121.134.8.168 Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from 121.134.8.168 Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from 121.134.8.168 Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from 121.134.8.168 Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from 121.134.8.168 Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from 121.134.8.168 Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from 121.134.8.168 Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from 121.134.8.168 Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from 121.134.8.168 I have to kill the 100% sshguard to return to "normal" behaviour. Any help ? |
|
From: Mij <mi...@bi...> - 2009-01-14 18:58:57
|
Hello Michel, Sorry for overlooking this post, I'm actually very interested. To clarify your scenario: you have 2 instances of sshguard, one for the host, the other one for both jails. I guess both jails are logging to the same file, and you are monitoring that (?). Is it always the "jails" process to show this behavior? Do you see anything strange ending up in logs? Can you report sshguard's more verbose messages (do you have debug.log or similar?)? thanks On Dec 20, 2008, at 5:55 PM, Michel wrote: > Hello, > > I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from > time to time sshguard go to 100% cpu. > > PID JID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU > COMMAND > 240 0 root 1 132 0 1936K 1188K > RUN 31:03 98.34% sshguard > ....... > ....... > 13756 0 root 4 20 0 1936K 1212K > kserel 0:01 0.00% sshguard > ...... > > > When this occur sshguard continue to protect the host : > > Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3 > failures over 1 seconds. > Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3 > failures over 2 seconds. > Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3 > failures over 163 seconds. > Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3 > failures over 3 seconds. > Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3 > failures over 2 seconds. > Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3 > failures over 3 seconds. > > but dont protect the jails any more : > > Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from > 121.134.8.168 > Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from > 121.134.8.168 > Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from > 121.134.8.168 > Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from > 121.134.8.168 > Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from > 121.134.8.168 > Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from > 121.134.8.168 > Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from > 121.134.8.168 > Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from > 121.134.8.168 > Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from > 121.134.8.168 > > I have to kill the 100% sshguard to return to "normal" behaviour. > > Any help ? > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Michel <mi...@do...> - 2009-01-15 13:10:14
|
Le mercredi 14 janvier 2009, Mij a écrit :
> Hello Michel,
>
> Sorry for overlooking this post, I'm actually very interested.
> To clarify your scenario: you have 2 instances of sshguard,
> one for the host, the other one for both jails. I guess both
> jails are logging to the same file, and you are monitoring that (?).
>
> Is it always the "jails" process to show this behavior? Do you see
> anything strange ending up in logs? Can you report sshguard's more
> verbose messages (do you have debug.log or similar?)?
>
> thanks
>
No, I usualy have only one sshguard running :
ps -aux | grep sshguard \
root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM 0:00.05 /usr/local/sbin/sshguard -w
I use syslog in the jails to log all auth.log on the host and the syslog.conf of the host have the lines :
auth.info;authpriv.info /var/log/auth.log
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
The last time the problem appear (from daily security mail) :
Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from 203.252.182.37
In the auth.log of the host (dedi2 is the host, dedi_? are the jails) :
Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive identification string from 216.127.160.82
Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 failures over 156 seconds.
Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after 690 seconds.
Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification string from 201.134.249.168
Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from 201.134.249.168
Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from 203.252.182.37
....
a lot of lines : >600 (1 every 2-3 seconds)
....
Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully [(a,p,s)=(3, 600, 1800)], now ready to scan.
Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from 203.252.182.37
Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from 203.252.182.37
And debug.0.log :
Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address 203.252.182.37
Jan 14 10:03:01 dedi2 last message repeated 2 times
Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tflush -t sshguard": exited 0.
Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
It look like sshguard is trarting twice on 10:02:56 ?
|
|
From: Mij <mi...@bi...> - 2009-01-17 10:57:44
|
Hello Michel, On Jan 15, 2009, at 13:31 , Michel wrote: > Le mercredi 14 janvier 2009, Mij a écrit : >> Hello Michel, >> >> Sorry for overlooking this post, I'm actually very interested. >> To clarify your scenario: you have 2 instances of sshguard, >> one for the host, the other one for both jails. I guess both >> jails are logging to the same file, and you are monitoring that (?). >> >> Is it always the "jails" process to show this behavior? Do you see >> anything strange ending up in logs? Can you report sshguard's more >> verbose messages (do you have debug.log or similar?)? >> >> thanks >> > > No, I usualy have only one sshguard running : > ps -aux | grep sshguard \ > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > 0:00.05 /usr/local/sbin/sshguard -w > > I use syslog in the jails to log all auth.log on the host and the > syslog.conf of the host have the lines : > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 so you're saying: 1) there is one syslog running in your system, collecting everything from host+jails to auth.log 2) one sshguard is configured to be given these auth.log lines and blocks through PF for everything > The last time the problem appear (from daily security mail) : > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > 203.252.182.37 here you don't mean that after these lines sshguard loops, do you? > In the auth.log of the host (dedi2 is the host, dedi_? are the > jails) : > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > identification string from 216.127.160.82 > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > failures over 156 seconds. > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > 690 seconds. > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > string from 201.134.249.168 > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > 201.134.249.168 > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > 203.252.182.37 > .... > a lot of lines : >600 (1 every 2-3 seconds) > .... > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > [(a,p,s)=(3, 600, 1800)], now ready to scan. > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > 203.252.182.37 > > > And debug.0.log : > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tdel -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > 203.252.182.37 > Jan 14 10:03:01 dedi2 last message repeated 2 times > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > Tadd -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tflush -t sshguard": exited 0. > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > It look like sshguard is trarting twice on 10:02:56 ? When that message occurs, sshguard is actually starting. This happens frequently for a restart (e.g. for log rotation) but there I don't see a "Got exit signal" message before. Do you see two instances at that point? If so, do they have the same parent and status? You can derive this answer with this command: ps axjh | grep -E 'sshguard|syslog' As a further curiosity: if you signal the "looped" instance with TSTP, does it remain looping? kill -s TSTP <pid_looped> after this command, do you see anything in the log like "Got STOP signal, suspending activity." ? > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Michel <mi...@do...> - 2009-01-20 08:44:20
|
Le samedi 17 janvier 2009, Mij a écrit : > Hello Michel, > > On Jan 15, 2009, at 13:31 , Michel wrote: > > > Le mercredi 14 janvier 2009, Mij a écrit : > >> Hello Michel, > >> > >> Sorry for overlooking this post, I'm actually very interested. > >> To clarify your scenario: you have 2 instances of sshguard, > >> one for the host, the other one for both jails. I guess both > >> jails are logging to the same file, and you are monitoring that (?). > >> > >> Is it always the "jails" process to show this behavior? Do you see > >> anything strange ending up in logs? Can you report sshguard's more > >> verbose messages (do you have debug.log or similar?)? > >> > >> thanks > >> > > > > No, I usualy have only one sshguard running : > > ps -aux | grep sshguard \ > > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > > 0:00.05 /usr/local/sbin/sshguard -w > > > > I use syslog in the jails to log all auth.log on the host and the > > syslog.conf of the host have the lines : > > auth.info;authpriv.info /var/log/auth.log > > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 > > so you're saying: > 1) there is one syslog running in your system, collecting everything > from host+jails to auth.log Yes > 2) one sshguard is configured to be given these auth.log lines and > blocks through PF for everything Yes > > > The last time the problem appear (from daily security mail) : > > > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > here you don't mean that after these lines sshguard loops, do you? > > > > In the auth.log of the host (dedi2 is the host, dedi_? are the > > jails) : > > > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > > identification string from 216.127.160.82 > > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > > failures over 156 seconds. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > > 690 seconds. > > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > > string from 201.134.249.168 > > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > > 201.134.249.168 > > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > .... > > a lot of lines : >600 (1 every 2-3 seconds) > > .... > > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > > [(a,p,s)=(3, 600, 1800)], now ready to scan. > > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > > 203.252.182.37 > > > > > > And debug.0.log : > > > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tdel -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > > 203.252.182.37 > > Jan 14 10:03:01 dedi2 last message repeated 2 times > > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > > Tadd -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tflush -t sshguard": exited 0. > > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > > > It look like sshguard is trarting twice on 10:02:56 ? > > When that message occurs, sshguard is actually starting. This happens > frequently for a restart (e.g. > for log rotation) but there I don't see a "Got exit signal" message > before. Do you see two instances > at that point? Yes > If so, do they have the same parent and status? You can > derive this answer with this command: > > ps axjh | grep -E 'sshguard|syslog' > dedi2# ps axjh | grep -E 'sshguard|syslog' root 426 1 426 426 0 Ss ?? 3:30.50 /usr/sbin/syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198 root 746 1 746 746 0 SsJ ?? 1:07.35 /usr/sbin/syslogd -s root 1302 1 1302 1302 0 IsJ ?? 1:03.50 /usr/sbin/syslogd -s root 78143 1 74878 74878 0 R ?? 1358:09.42 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 82313 1 82313 82313 0 IsJ ?? 0:15.04 /usr/sbin/syslogd -s root 88115 426 88115 88115 0 Ss ?? 0:00.10 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 95765 95761 95764 95758 2 R+ p1 0:00.00 grep -E sshguard|syslog > As a further curiosity: if you signal the "looped" instance with TSTP, > does it remain looping? > kill -s TSTP <pid_looped> > after this command, do you see anything in the log like "Got STOP > signal, suspending activity." ? > > kill -s TSTP 78143 and it remain looping ! and nothing in messages nor in debug : Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment: SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. only a kill -9 78143 stop the loop ... |
|
From: Mij <mi...@bi...> - 2009-02-01 19:30:29
|
On Jan 20, 2009, at 9:43 , Michel wrote: > Le samedi 17 janvier 2009, Mij a écrit : >> If so, do they have the same parent and status? You can >> derive this answer with this command: >> >> ps axjh | grep -E 'sshguard|syslog' >> > > dedi2# ps axjh | grep -E 'sshguard|syslog' > root 426 1 426 426 0 Ss ?? 3:30.50 /usr/sbin/ > syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198 > root 746 1 746 746 0 SsJ ?? 1:07.35 /usr/sbin/ > syslogd -s > root 1302 1 1302 1302 0 IsJ ?? 1:03.50 /usr/sbin/ > syslogd -s > root 78143 1 74878 74878 0 R ?? 1358:09.42 /usr/ > local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s > 1800 > root 82313 1 82313 82313 0 IsJ ?? 0:15.04 /usr/sbin/ > syslogd -s > root 88115 426 88115 88115 0 Ss ?? 0:00.10 /usr/local/ > sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 > root 95765 95761 95764 95758 2 R+ p1 0:00.00 grep -E > sshguard|syslog I see several instances of syslogd as well. I'm no jail expert, but as the "further" ones operate in secure my intuition is that they are raised for the jails. Sshguard is not designed to run in multiple instances, but technically, even after reviewing the code, I don't see a reason for the looping. The problem is interesting. When you kill the program, the OS should dump a core file somewhere (use "locate sshguard.core"): can you send it to me? That would be even more valuable if you can 1) use the current SVN version mkdir sshguard && cd sshguard svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard/ ./ 2) compile with debug symbols and send the core of that version. ./configure --with-firewall=pf --enable-debug=yes make cp sshguard /usr/local/bin (do NOT use make install, which strips debug symbols) michele >> As a further curiosity: if you signal the "looped" instance with >> TSTP, >> does it remain looping? >> kill -s TSTP <pid_looped> >> after this command, do you see anything in the log like "Got STOP >> signal, suspending activity." ? >> >> > kill -s TSTP 78143 > and it remain looping ! > > and nothing in messages nor in debug : > > Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl - > Tadd -t sshguard $SSHG_ADDR": exited 0. > Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment: > SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl - > Tdel -t sshguard $SSHG_ADDR": exited 0. > > only a kill -9 78143 stop the loop ... > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X