Menu
▾
▴
sshguard-users
|
From: Truffe C. <tru...@gm...> - 2007-05-21 17:09:55
|
I have installed sshguard-1.0beta2 on suse 10.1 with iptables, following instruction described in README. Installation and configuration following README seemed to work fine. However, after killall -HUP syslog-ng, HUGE amount (several GBs in a few minutes) of log is written in /var/log/messages . The messages are just in finite repeat of following message: ++++++++++++++++++++++++++++++++++ May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ++++++++++++++++++++++++++++++++++ Now sshguard is stopped by commenting syslog-ng conf file and restart syslog-ng. Probably I have mistaken at some steps in configuration. Is someone tell me what is wrong in my configuration? Thanks, |
|
From: Mij <mi...@bi...> - 2007-05-21 20:55:07
|
Truffe,
this is the mechanism that causes that loop:
1) log lines of the auth facility are given to sshguard
2) sshguard parses each line; the parser generates a log message
with "debug" level on its work result. All sshguard logging happens to
the auth facility
3) syslog takes these logs back to sshguard which then generates
further logging
I was aware of this possibility and relied on either of these
assumptions
for avoiding step 3 (and thus the whole loop):
# debug logs are typically discarded or directed to a specific log
file, e.g. "debug.log"
# log messages with "sshd" are filtered before passing to sshguard
If you use syslog-ng I suggest you to go the simpler (#2): specify
the following
filter for sshguard
filter sshlogs { facility(auth, authpriv) and match
("sshd"); };
In the future I will possibly remove that debug message.
Thanks for making me put this remark on the archives.
On 21/mag/07, at 19:09, Truffe Champagne wrote:
> I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> following instruction described in README.
> Installation and configuration following README seemed to work fine.
>
> However, after killall -HUP syslog-ng, HUGE amount
> (several GBs in a few minutes) of log is written in /var/log/
> messages .
> The messages are just in finite repeat of following message:
>
> ++++++++++++++++++++++++++++++++++
> May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> ': skip.
> ++++++++++++++++++++++++++++++++++
>
> Now sshguard is stopped by commenting syslog-ng conf file and restart
> syslog-ng.
>
> Probably I have mistaken at some steps in configuration.
> Is someone tell me what is wrong in my configuration?
>
> Thanks,
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Truffe C. <tru...@gm...> - 2007-05-22 02:33:13
|
Hi Mij,
> If you use syslog-ng I suggest you to go the simpler (#2): specify
> the following
> filter for sshguard
> filter sshlogs { facility(auth, authpriv) and match
> ("sshd"); };
According to the instruction, I have included following lines in the
/etc/syslog-ng/syslog-ng.conf:
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc { program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n")); };
log { source(src); filter(sshlogs); destination(sshguardproc); };
Then syslog-ng was restarted well with following message:
May 22 11:01:57 hostname sshguard[4098]: Started successfully
[(a,p,s)=(4, 420, 1200)], now ready to scan.
However, at the first remote ssh login after restarting syslog-ng,
same message loop happened.
If I use tail option, tail -n0 -F /var/log/messages | /usr/local/sbin/sshguard,
I got similar result.
truffe
> On 21/mag/07, at 19:09, Truffe Champagne wrote:
>
> > I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> > following instruction described in README.
> > Installation and configuration following README seemed to work fine.
> >
> > However, after killall -HUP syslog-ng, HUGE amount
> > (several GBs in a few minutes) of log is written in /var/log/
> > messages .
> > The messages are just in finite repeat of following message:
> >
> > ++++++++++++++++++++++++++++++++++
> > May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> > 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> > hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> > Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> > 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> > skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> > ': skip.
> > ++++++++++++++++++++++++++++++++++
> >
> > Now sshguard is stopped by commenting syslog-ng conf file and restart
> > syslog-ng.
> >
> > Probably I have mistaken at some steps in configuration.
> > Is someone tell me what is wrong in my configuration?
> >
> > Thanks,
> >
> > ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
|
From: Truffe C. <tru...@gm...> - 2007-05-22 03:37:01
|
Hi Mij
I have solved the message loop problem specifying in the
/etc/syslog-ng/syslog-ng.conf,
filter sshlogs { facility(auth, authpriv) and match('^sshd\['); };
destination sshguardproc { program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n")); };
log { source(src); filter(sshlogs); destination(sshguardproc); };
"match('^sshd\[')" can solve the problem. If this is not specified,
message containing
"sshd" in any position in the log can be parsed into sshguard.
I think it's better to include this instruction for README/manuals. Otherwise,
some people could get huge log files and use up disk quota :-)
Thanks,
truffe.
|
|
From: Mij <mi...@bi...> - 2007-05-22 12:02:38
|
On 22/mag/07, at 05:36, Truffe Champagne wrote:
> Hi Mij
>
> I have solved the message loop problem specifying in the
> /etc/syslog-ng/syslog-ng.conf,
>
> filter sshlogs { facility(auth, authpriv) and match('^sshd\['); };
> destination sshguardproc { program("/usr/local/sbin/sshguard"
> template("$DATE $FULLHOST $MESSAGE\n")); };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
>
> "match('^sshd\[')" can solve the problem. If this is not specified,
> message containing
> "sshd" in any position in the log can be parsed into sshguard.
This is correct because the parsing result logging includes the original
string, which contained sshd and is then passed again in a loop.
Sorry for having missed that.
> I think it's better to include this instruction for README/manuals.
> Otherwise,
> some people could get huge log files and use up disk quota :-)
I have chosen to remove that parser result logging, which is definitely
excessive even for DEBUG. This is simpler, cleaner and spares some
load to the logging system. This will appear in beta3, along with a
slighlty
modified backend for iptables.
If you like to apply this modification immediately, you can remove the
sshguard_log() line in src/sshguard.c, line 142 and recompile the app.
thanks for your trials and reports
> Thanks,
> truffe.
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X