Menu
▾
▴
sshguard-users
|
From: <jo...@te...> - 2015-08-14 02:28:31
|
Hello, I have a daemon manager that starts and stops sshguard. This daemon manager is a library used by an application. At one point in time a command is sent to this manager to terminate sshguard and that is executed in a thread. Meanwhile, the application goes on by calling iptables. From time to time, that iptables command fails with iptables reporting that there is a xlock on iptables since another application is using it. My question is: does sshguard execute any iptables command when terminating ? Thanks. |
|
From: Kevin Z. <kev...@gm...> - 2015-08-14 03:18:32
|
On 08/13/2015 21:28, jo...@te... wrote: > I have a daemon manager that starts and stops sshguard. This daemon > manager is a library used by an application. At one point in time a > command is sent to this manager to terminate sshguard and that is > executed in a thread. Meanwhile, the application goes on by calling > iptables. From time to time, that iptables command fails with iptables > reporting that there is a xlock on iptables since another application > is using it. What operating system are you running? What version of SSHGuard? The fix for the iptables lock landed shortly before 1.6.0. > My question is: does sshguard execute any iptables command when > terminating ? Yes, it runs iptables to flush blocked addresses. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: jonetsu <jo...@te...> - 2015-08-14 14:06:04
|
> From: "Kevin Zheng" <kev...@gm...> > Date: 08/13/15 23:18 Hello, > What operating system are you running? What version of > SSHGuard? The fix for the iptables lock landed shortly before > 1.6.0. This is a Debian platform. The version is 1.5. >> My question is: does sshguard execute any iptables command when >> terminating ? > Yes, it runs iptables to flush blocked addresses. I got the tarball generated by the web site and looked at the Changes file under 1.6 section, and did not see anything pertaining to this lock problem. The code does not mention 'xlock' specifically. If I consider sshguard as a black box, then what I thought of doing is to add a --wait (-w) switch to my iptables call, which will make iptables wait until the xlock is removed. That amount of time looks like rather short, since the xlock condition does not happen every time. Looks like it's dependent on the CPU being jusy a bit too busy at that time, from some other process. I'm curious about how a lock problem appeared *within* sshguard... Can you explain what the problem was ? Thanks ! |
|
From: Kevin Z. <kev...@gm...> - 2015-08-14 14:25:32
|
On 08/14/2015 09:06, jonetsu wrote: > This is a Debian platform. The version is 1.5. If possible, you should upgrade to 1.6.0. > I got the tarball generated by the web site and looked at the > Changes file under 1.6 section, and did not see anything > pertaining to this lock problem. The code does not mention > 'xlock' specifically. You're looking for the last line of the v1.6.0 ChangeLog: "Wait for xtables lock when using iptables command (James Harris)" > If I consider sshguard as a black box, then what I thought of > doing is to add a --wait (-w) switch to my iptables call, which > will make iptables wait until the xlock is removed. That amount > of time looks like rather short, since the xlock condition does > not happen every time. Looks like it's dependent on the CPU being > jusy a bit too busy at that time, from some other process. This is how the issue was fixed in v1.6.0. > I'm curious about how a lock problem appeared *within* > sshguard... Can you explain what the problem was ? My guess is that another program is running 'iptables', or another SSHGuard command did not finish. I'm not entirely sure because I don't run 'iptables' myself. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: James H. <jam...@gm...> - 2015-08-14 19:05:58
|
I most often saw the xlock error on boot when firewalld (a not vary dynamic, dynamic firewall) and sshguard were both running through iptables commands to bring up the firewall. On Fri, Aug 14, 2015 at 7:25 AM, Kevin Zheng <kev...@gm...> wrote: > On 08/14/2015 09:06, jonetsu wrote: > > This is a Debian platform. The version is 1.5. > > If possible, you should upgrade to 1.6.0. > > > I got the tarball generated by the web site and looked at the > > Changes file under 1.6 section, and did not see anything > > pertaining to this lock problem. The code does not mention > > 'xlock' specifically. > > You're looking for the last line of the v1.6.0 ChangeLog: > > "Wait for xtables lock when using iptables command (James Harris)" > > > If I consider sshguard as a black box, then what I thought of > > doing is to add a --wait (-w) switch to my iptables call, which > > will make iptables wait until the xlock is removed. That amount > > of time looks like rather short, since the xlock condition does > > not happen every time. Looks like it's dependent on the CPU being > > jusy a bit too busy at that time, from some other process. > > This is how the issue was fixed in v1.6.0. > > > I'm curious about how a lock problem appeared *within* > > sshguard... Can you explain what the problem was ? > > My guess is that another program is running 'iptables', or another > SSHGuard command did not finish. I'm not entirely sure because I don't > run 'iptables' myself. > > Best, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
|
From: jonetsu <jo...@te...> - 2015-08-14 16:35:03
|
> From: "Kevin Zheng" <kev...@gm...> > Date: 08/14/15 10:25 > If possible, you should upgrade to 1.6.0. > You're looking for the last line of the v1.6.0 ChangeLog: > "Wait for xtables lock when using iptables command (James Harris)" What I got today is sshguard-code-238-trunk (automatically generated tarball) and it does not have that file. I got the 238 because the download link in the sshguard page offered 1.5 which I already have. 238 was from 'Download' tab -> 'From Source' -> 'latest release' link. 238 does not have ChangeLog file. How to get the 1.6.0 release ? Thanks. |
|
From: jonetsu <jo...@te...> - 2015-08-14 18:52:35
|
> From: jonetsu <jo...@te...> > Date: 08/14/15 12:35 > I already have. 238 was from 'Download' tab -> 'From Source' -> > 'latest release' link. 238 does not have ChangeLog file. Sorry, that link is for the 1.5 source release. Is there another web site than sshguard.net ? Thanks. |
|
From: Kevin Z. <kev...@gm...> - 2015-08-14 19:51:25
|
On 08/14/2015 13:52, jonetsu wrote: > Sorry, that link is for the 1.5 source release. The source repository is now hosted on Bitbucket: https://bitbucket.org/sshguard/sshguard Source tarballs are still available from SourceForge: https://sourceforge.net/projects/sshguard/ > Is there another web site than sshguard.net ? The website needs plenty of updating. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
Thanks for helping keep SourceForge clean.
X