Menu
▾
▴
sshguard-users
|
From: Robert S <rob...@gm...> - 2010-03-17 20:58:15
|
Thanks. I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: Mar 18 07:48:23 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration; Mar 18 07:48:23 hostname sshguard[27966]: authenticating service 100 with process ID from /var/run/sshd.pid Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add block: 192.168.2.0 with mask 24. Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add '127.0.0.1' as plain IPv4. Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add plain ip 127.0.0.1. Mar 18 07:48:23 hostname sshguard[27966]: Run command "iptables -L": exited 0. Mar 18 07:48:23 hostname sshguard[27966]: Blacklist loaded, 0 addresses. Mar 18 07:48:23 hostname sshguard[27966]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. |
|
From: Robert S <rob...@gm...> - 2010-04-28 21:15:02
|
> Your backtrace seems intresting. sshguard seems waiting while performing process authentication. > Procauth has been there for long and should be stable. Can you please try to temporary disable > the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the > insight. > I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set: # sshguard -l /var/log/auth.log -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist I've had it running for 24hr and its still running now. There have been two intruders blocked over this time (there seem to be much fewer attempted logins lately!). I think that's fixed it. Unfortunately no sshguard activity appears in my syslog - this feature seems to have disappeared in recent versions of the software. It seems to be necessary to set the SSHGUARD_DEBUG variable, which gives an extremely verbose debug output. I think that this has led to my not realising that sshguard was not working for many months before this problem cropped up. Is it possible to enable logging to syslog - or to another log file? |
|
From: Mij <mi...@ss...> - 2010-04-28 22:11:23
|
On Apr 28, 2010, at 23:14 , Robert S wrote: >> Your backtrace seems intresting. sshguard seems waiting while performing process authentication. >> Procauth has been there for long and should be stable. Can you please try to temporary disable >> the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the >> insight. >> > > I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set: > > # sshguard -l /var/log/auth.log -b > /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist > > I've had it running for 24hr and its still running now. There have > been two intruders blocked over this time (there seem to be much fewer > attempted logins lately!). I think that's fixed it. > > Unfortunately no sshguard activity appears in my syslog - this feature > seems to have disappeared in recent versions of the software. It > seems to be necessary to set the SSHGUARD_DEBUG variable, which gives > an extremely verbose debug output. I think that this has led to my > not realising that sshguard was not working for many months before > this problem cropped up. Is it possible to enable logging to syslog - > or to another log file? Activity should appear in your syslog, with AUTH facility. There was a change in recent versions, namely now only output "> LOG_NOTICE" is issued. Curiously, this change is fruit of other users' requests. On the one hand, this should be sufficient for normal use (ie, as soon as you don't have your bug anymore); on the other hand, it's true it makes possible problems of this sort less apparent. I'll give it a thought and decide something before 1.5stable. If you want to temporarily tweak it to your preference, change const int sshguard_log_minloglevel = LOG_NOTICE; to whichever level you prefer in sshguard_log.c . |
|
From: Robert S <rob...@gm...> - 2010-04-29 12:59:12
|
Hi. As suggested the statement below fixed the logging issue. const int sshguard_log_minloglevel = LOG_INFO; However, there appears to be a problem with process authentication: Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not allowed because none of user's groups are listed in AllowGroups Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'. Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547. Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has been forged for service 100. # ps ax |grep sshguard 8301 pts/1 Sl+ 0:00 /usr/src/local/sshguard/trunk/src/sshguard -l /var/log/auth.log -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f 100:/var/run/sshd.pid This problem goes away when I omit the "-f 100:/var/run/sshd.pid" option |
|
From: Mij <mi...@ss...> - 2010-04-29 15:55:02
|
On Apr 29, 2010, at 14:59 , Robert S wrote: > Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not > allowed because none of user's groups are listed in AllowGroups > Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'. > Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547. > Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has > been forged for service 100. This can legitimately occur if sshguard gets the log message after the process spawning it exited. In practice, this should happen very rarely with log sucking, say <5% of the times with this pattern on idle servers (sshguard adjusts the monitoring frequency to the log traffic), and nearly never with direct feeding. May you observe different numbers feel free to write in. |
|
From: Robert S <rob...@gm...> - 2010-05-03 11:08:58
|
Unfortunately process authentication isn't working. I received 953 "Ignore" messages today: # grep sshguard /var/log/messages May 3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922' has been forged for service 100. May 3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'. May 3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639. May 3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925' has been forged for service 100. May 3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'. May 3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639. May 3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928' has been forged for service 100. May 3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'. May 3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639. There was only one "hit" resulting in a block I'm using direct feeding from a fifo: # cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f 100:/var/run/sshd.pid |
|
From: Mij <mi...@ss...> - 2010-05-10 08:34:13
|
A missing fclose() could cause this to occur after a while for descriptor exhaustion; please try r196. Note that, for a few patterns (currently "Did not receive identification string") procauth can inherently not succeed as the log message appears after the emitting process exited. On May 3, 2010, at 13:08 , Robert S wrote: > Unfortunately process authentication isn't working. I received 953 > "Ignore" messages today: > > # grep sshguard /var/log/messages > May 3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922' > has been forged for service 100. > May 3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'. > May 3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639. > May 3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925' > has been forged for service 100. > May 3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'. > May 3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639. > May 3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928' > has been forged for service 100. > May 3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'. > May 3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639. > > There was only one "hit" resulting in a block > > I'm using direct feeding from a fifo: > > # cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b > /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f > 100:/var/run/sshd.pid > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Robert S <rob...@gm...> - 2010-05-12 09:36:30
|
Sadly this problem still seems to occur in the latest svn version :( May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28 May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739' has been forged for service 100. May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28 May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742' has been forged for service 100. May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28 May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745' has been forged for service 100. # ps ax |grep sshguard 31623 ? Sl 0:00 /usr/local/sbin/sshguard -l /var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f 100:/var/run/sshd.pid |
|
From: Mij <mi...@ss...> - 2010-05-12 20:12:57
|
Hey Robert, thanks for your perseverance. I found a subtle regression there. Please check out r199 and let me know. On May 12, 2010, at 11:36 , Robert S wrote: > Sadly this problem still seems to occur in the latest svn version :( > > May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28 > May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739' > has been forged for service 100. > May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28 > May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742' > has been forged for service 100. > May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28 > May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745' > has been forged for service 100. > > # ps ax |grep sshguard > 31623 ? Sl 0:00 /usr/local/sbin/sshguard -l > /var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w > /etc/sshguard.whitelist -f 100:/var/run/sshd.pid |
|
From: Robert S <rob...@gm...> - 2010-05-14 09:20:05
|
Hi. I have tried this with log sucking and direct feed from a FIFO with similar results. This is certainly a lot better, but there are still some false positives: May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193' has been forged for service 100. May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s). May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341' has been forged for service 100. May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s). May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376' has been forged for service 100. May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s). May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s). Robert. |
|
From: Mij <mi...@ss...> - 2010-07-05 10:30:42
|
Hi Robert, I cannot reproduce this problem on any of my machines, but here is the most likely explanation. Log Validation works as follows: 1. recognize an attack signature 2. extract generating PID from it (logPID) 3. compare logPID with the genuine PID genPID (from the pidfile). Match => ACCEPT The algorithm ideally stops here, but some daemons (like sshd) delegate connection processing to children. So the algorithm goes on: 4. ask the system for the parent-child process table 5. check if logPID is child of genPID. Match => ACCEPT 6. REJECT For daemons delegating client handling to children, what's likely happening on your machine is that sshguard receives the message when the child has already died after sending its log message. Sshguard has then no way to tell. With log sucking this is more likely to happen under non-BSD systems, where the logic is implemented with proactive non-blocking polls (on BSD it's reactive on kqueue()). I will consider collapsing this in a single libevent logic in the near future. michele On May 14, 2010, at 11:19 , Robert S wrote: > Hi. > > I have tried this with log sucking and direct feed from a FIFO with > similar results. This is certainly a lot better, but there are still > some false positives: > > May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193' > has been forged for service 100. > May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for >> 630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses > over 12s). > May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341' > has been forged for service 100. > May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for >> 630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses > over 5s). > May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376' > has been forged for service 100. > May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4 > for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 > abuses over 9s). > May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for >> 630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses > over 11s). > > Robert. > > ------------------------------------------------------------------------------ > > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2010-07-17 00:04:25
|
For the archives, this is the plan for addressing this problem: The Log Sucker is too important to neglect the problem. At the same time, minimizing latencies on all systems so as to recover this problem requires to implement code hooking to the least portable, most OS-specific API (poll() / kqueue() / epoll() etc) for each different system. No way we're going through this in the middle of an RC line :) Thus, the deal is release 1.5 will provide Log Sucking with the current machinery (optimized for BSD, regular for all others), but will discourage via documentation the use of Log Validation along with it. That is, in sshguard-1.5 you either use Log Validation xor you use Log Sucking. In other words, Validation won't Suck. Notice that "false positives" in validation with Log Sucking may occur only in the conjunction of these cases 1) the service handles connections by fork()ing and delegating them to children (OpenSSH and some Apache do, dropbear and nginx do not) 2) the children dies immediately after logging the sensitive signature 3) the OS does not notify SSHGuard of the new log data after writing it, but handles the child exit first Yet, the choice is to discourage the joint use of the two techniques until the case is addressed. On Jul 5, 2010, at 12:30 , Mij wrote: > Hi Robert, > > I cannot reproduce this problem on any of my machines, but here is the most likely > explanation. Log Validation works as follows: > 1. recognize an attack signature > 2. extract generating PID from it (logPID) > 3. compare logPID with the genuine PID genPID (from the pidfile). Match => ACCEPT > > The algorithm ideally stops here, but some daemons (like sshd) delegate connection > processing to children. So the algorithm goes on: > 4. ask the system for the parent-child process table > 5. check if logPID is child of genPID. Match => ACCEPT > 6. REJECT > > For daemons delegating client handling to children, what's likely happening on your > machine is that sshguard receives the message when the child has already > died after sending its log message. Sshguard has then no way to tell. > > With log sucking this is more likely to happen under non-BSD systems, where the > logic is implemented with proactive non-blocking polls (on BSD it's reactive on kqueue()). > I will consider collapsing this in a single libevent logic in the near future. > > michele > > > On May 14, 2010, at 11:19 , Robert S wrote: > >> Hi. >> >> I have tried this with log sucking and direct feed from a FIFO with >> similar results. This is certainly a lot better, but there are still >> some false positives: >> >> May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193' >> has been forged for service 100. >> May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for >>> 630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses >> over 12s). >> May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341' >> has been forged for service 100. >> May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for >>> 630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses >> over 5s). >> May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130 >> not allowed because none of user's groups are listed in AllowGroups >> May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376' >> has been forged for service 100. >> May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130 >> not allowed because none of user's groups are listed in AllowGroups >> May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130 >> not allowed because none of user's groups are listed in AllowGroups >> May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130 >> not allowed because none of user's groups are listed in AllowGroups >> May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130 >> not allowed because none of user's groups are listed in AllowGroups >> May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4 >> for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 >> abuses over 9s). >> May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not >> allowed because none of user's groups are listed in AllowGroups >> May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for >>> 630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses >> over 11s). >> >> Robert. >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2010-03-18 22:04:39
|
On Mar 17, 2010, at 21:58 , Robert S wrote: > Thanks. > > I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. > > I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. See http://www.sshguard.net/docs/setup/getlogs/log-sucker/ > > Mar 18 07:48:23 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration; > Mar 18 07:48:23 hostname sshguard[27966]: authenticating service 100 with process ID from /var/run/sshd.pid > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add block: 192.168.2.0 with mask 24. > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add '127.0.0.1' as plain IPv4. > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add plain ip 127.0.0.1. > Mar 18 07:48:23 hostname sshguard[27966]: Run command "iptables -L": exited 0. > Mar 18 07:48:23 hostname sshguard[27966]: Blacklist loaded, 0 addresses. > Mar 18 07:48:23 hostname sshguard[27966]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Robert S <rob...@gm...> - 2010-04-11 08:58:38
|
>> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. >> >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. >See >http://www.sshguard.net/docs/setup/getlogs/log-sucker/ I have reinstalled 1.5 and have it running in the background using the log sucker: # ps ax |grep sshguard # 7730 ? Sl 0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz: Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds. Later in the day there was an intrusion attempt: Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups <etc> .. no attempt by sshguard to block it I've also tried logging in from www.xxx.yyy.zzz again: Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Thus log sucking (and also the syslog) method seem to work initially, but later stop. If I kill the sshguard process then it works again: Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds. I can't seem to explain this behaviour. I've tried several versions and nothing before 1.5 seems to work consistently. |
|
From: Mij <mi...@ss...> - 2010-04-11 12:08:19
|
All of the messages you report should be recognized by sshguard. It may be a problem in the log sucker, although I'd be surprised not to have similar reports earlier. It's more difficult to investigate the problem here then. Some ways you can proceed, when you notice attacks that aren't been blocked: 1) run a "grep sshguard /var/log/auth.log" (or wherever sshguard logging is sent): - any message besides the Blocking ones? 2) do a "ls -l" on the log files you're making sshguard monitor. Is there any fresh? (just rotated) 3) check with top, ps, and lsof (or equivalent for your OS): - is sshguard taking significant CPU load? (looping) - what is the state reported by ps? - what files are open? 4) any change if you suspend and resume sshguard: killall -TSTP sshguard sleep 2 killall -CONT sshguard if you're up for harder stuff, you can proceed with: 1) changing sshguard_log_minloglevel to LOG_DEBUG in src/sshguard_log.c and recompile 2) compile with debug symbols: ./configure --enable-debug --with-firewall=yours make then, when observing the "downtime", attach to the running process from gdb: ps ax | grep sshguard --> read the PID gdb (gdb) attach PID ... (gdb) break (gdb) backtrace full On Apr 11, 2010, at 10:58 , Robert S wrote: > >> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. > >> > >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: > > >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate > >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. > > >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. > >See > >http://www.sshguard.net/docs/setup/getlogs/log-sucker/ > > I have reinstalled 1.5 and have it running in the background using the log sucker: > > # ps ax |grep sshguard > # 7730 ? Sl 0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist > > At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz: > > Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root > Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz > Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 > Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root > Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz > Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 > Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds. > > Later in the day there was an intrusion attempt: > > Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > <etc> > > .. no attempt by sshguard to block it > > I've also tried logging in from www.xxx.yyy.zzz again: > > Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Thus log sucking (and also the syslog) method seem to work initially, but later stop. > > If I kill the sshguard process then it works again: > > Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds. > > I can't seem to explain this behaviour. I've tried several versions and nothing before 1.5 seems to work consistently. |
|
From: Robert S <rob...@gm...> - 2010-04-14 01:51:19
|
Thanks.
This seems to be an intermittent problem and can be difficult to
reproduce. It usually starts some time after I have invoked the
sshguard command.
I am running sshguard in a screen session:
# export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
After a while, the logging seems to stop happening:
Reading a token: --accepting rule at line 133 (" not allowed because
none of user's groups are listed in AllowGroups")
Next token is token SSH_NOTALLOWEDSUFF ()
Shifting token SSH_NOTALLOWEDSUFF ()
Entering state 71
Reducing stack by rule 32 (line 275):
$1 = token SSH_NOTALLOWEDPREF ()
$2 = nterm addr ()
$3 = token SSH_NOTALLOWEDSUFF ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 263):
$1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
$1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
$1 = token SYSLOG_BANNER_PID ()
$2 = nterm logmsg ()
< nothing happens from here on even if I try to log in again using ssh >
If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
happens to the log output.
"top" does not reveal excess use of CPU.
Here is lsof output
# lsof |grep sshguard
sshguard 6376 root cwd DIR 3,6 4096
735903 /root
sshguard 6376 root rtd DIR 3,6 4096
2 /
sshguard 6376 root txt REG 3,6 371826
757808 /root/sshguard/sshguard
sshguard 6376 root mem REG 3,6 1399984
654712 /lib/libc-2.10.1.so
sshguard 6376 root mem REG 3,6 137284
654892 /lib/libpthread-2.10.1.so
sshguard 6376 root mem REG 3,6 123168
654880 /lib/ld-2.10.1.so
sshguard 6376 root 0u CHR 136,1 0t0
4 /dev/pts/1
sshguard 6376 root 1w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 2w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 3r REG 3,8 141517
31962 /var/log/auth.log
sshguard 6376 root 4r FIFO 0,5 0t0
14686 pipe
sshguard 6376 root 5w FIFO 0,5 0t0
14686 pipe
tee 6377 root 3w REG 3,6 37094
703149 /tmp/sshguard.log
Here is the ps and gdb output:
# ps ax |grep sshguard
6376 pts/1 Sl+ 0:00 sshguard/sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist
6377 pts/1 S+ 0:00 tee /tmp/sshguard.log
6754 pts/0 R+ 0:00 grep --colour=auto sshguard
# gdb
warning: Can not parse XML syscalls information; XML support was
disabled at compile time.
GNU gdb (Gentoo 7.0 p2) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
(gdb) attach 6376
Attaching to process 6376
Reading symbols from /root/sshguard/sshguard...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f997084d910 (LWP 6380)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
(gdb) break
Breakpoint 1 at 0x7f9970bb593f
(gdb) backtrace full
#0 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1 0x0000000000403e56 in procauth_ischildof (service_code=<value
optimized out>, pid=6453) at sshguard_procauth.c:210
retA = <value optimized out>
pidA = <value optimized out>
ps2grep = {4, 5}
pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
retB = <value optimized out>
pidB = <value optimized out>
#2 procauth_isauthoritative (service_code=<value optimized out>,
pid=6453) at sshguard_procauth.c:138
No locals.
#3 0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
yystate = <value optimized out>
yyn = 0
yyresult = <value optimized out>
yyerrstatus = 0
yytoken = 16
yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
32665, 0, -11334, 28811,
32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
28858, 32665, 0, -8081,
28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
0, -2368, 14210, 32767, 0,
14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
-2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
0, 24032, 101, 0, 0, 19547,
28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
0, 0, 0, 138, 0, 0, 0, 0,
0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
32767, 0, -23664, 100, 0, 0,
25386, 28812, 32665, 0}
yyss = 0x7fff3782f600
yyssp = 0x7fff3782f604
yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
bounds>, num = 6453}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
num = 1891249760}, {
str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
{str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
str = 0x112 <Address 0x112 out of bounds>, num = 274},
{str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
"\314c", num = 931328001}, {
str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
{str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
num = 0}, {
str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
out of bounds>,
num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
0x70ba2e60 out of bounds>,
num = 1891249760}, {str = 0x0, num = 0}, {str =
0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
{str = 0x7fff3782f7ac "",
num = 931329964}, {str = 0x7f9970ba2e60 "", num =
1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
6544752}, {
str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
"H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
"\020pf", num = 6540288}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
{
str = 0x63f930 "\340of", num = 6551856}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
{str = 0x0, num = 0}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
"", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
{str = 0x63d208 "",
num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
of bounds>, num = -1}, {str = 0x7f99708f6eb0
"H\203\304\030\303ff.\017\037\204",
num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x63d110 "", num = 6541584}, {
str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
str = 0x7f99709029ac
"I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
num = 1888496044}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
---Type <return> to continue, or q <return> to quit---
str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
of bounds>, num = 4784}, {
str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
4}, {str = 0x7fff3782f32c "",
num = 931328812}, {str = 0x7fff3782f210 "", num =
931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x7fff3782f300 "", num = 931328768}, {
str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
931329964}, {
str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
0x7fff3782f720 "\b\003",
num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
<Address 0x2 out of bounds>, num = 2}, {
str = 0x7f99708a1a8f
"\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
{str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
931329243}, {
str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f330 "", num = 931328816}, {str =
0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
931328752}, {
str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
= 931328848}, {
str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
"p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
= 0x0, num = 0}, {
str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
"\340\241d", num = 931316240}, {
str = 0x7fff3782c230 "\002", num = 931316272}, {str =
0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
{str = 0x63c440 "\220\324c",
num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
num = 0}, {
str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
0x2 <Address 0x2 out of bounds>, num = 2}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
0}, {str = 0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
= 0}, {str = 0x0, num = 0}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {str = 0x0, num = 0}, {str =
0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
<Address 0x2 out of bounds>,
num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
-1313391531}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f9970850328
"U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
\241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
out of bounds>, num = 21}, {
str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
str = 0x7fff3782f518 "`\200\373p\231\177", num =
931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x0, num = 0}, {
str = 0x7fff3782f4b0 "", num = 931329200}, {str =
0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
0x7fff3782f470 "`\030\272p\231\177",
num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
= 6742320}, {
str = 0x63b350 "\360me", num = 6533968}, {str =
0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
= 0x7fff3782c380 "\340\343f",
num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
= 0x7fff3782c3b0 "\001",
num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
6535264}, {
str = 0x400000001 <Address 0x400000001 out of bounds>, num
= 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
1891244128}, {
str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
0x400 <Address 0x400 out of bounds>, num = 1024}, {
str = 0x7f99708bd6f5
"H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
1888212725}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {
str = 0x7f99708be06f
"\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
num = 1888215151}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
= 10}, {str = 0x0, num = 0},
{str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
2090683713}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {
str = 0x7f9970ba7c9c
"AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
<return> to continue, or q <return> to quit---
254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
"X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
of bounds>, num = 1}, {
str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
{str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
0x4 <Address 0x4 out of bounds>,
num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
bounds>, num = 1038094023}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f99708501ec
"\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
\301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
str = 0x7f9900000007 <Address 0x7f9900000007 out of
bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
num = 16220219}, {
str = 0x7fff3782f570 "", num = 931329392}, {str =
0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
0x7f9970851c10 "",
num = 1887771664}, {str = 0x0, num = 0}, {str =
0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
"", num = 1895684888}, {
str = 0x400f08 "realloc", num = 4198152}, {str =
0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
4197480}, {
str = 0x500000000 <Address 0x500000000 out of bounds>, num
= 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
475}, {
str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
1895687000}, {
str = 0x7fff3782f700 "d\020\272p\231\177", num =
931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
931329736}, {
str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
1038094023}, {
str = 0x7f9970911889
"H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
= 1888557193}, {str = 0x0, num = 0}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
bounds>, num = 1}}
yyvs = 0x7fff3782efc0
yyvsp = 0x7fff3782efd0
yystacksize = 200
yyval = <value optimized out>
yylen = 2
#4 0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
optimized out>) at attack_parser.y:379
ret = <value optimized out>
#5 0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
tid = 140296994478352
retv = <value optimized out>
source_id = 4100918702
buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
122.227.43.37 not allowed because none of user's groups are listed in
AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
\371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
HTH ;-)
|
|
From: Mij <mi...@ss...> - 2010-04-27 15:41:35
|
Hey robert
Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
Procauth has been there for long and should be stable. Can you please try to temporary disable
the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
insight.
michele
On Apr 14, 2010, at 03:51 , Robert S wrote:
> Thanks.
>
> This seems to be an intermittent problem and can be difficult to
> reproduce. It usually starts some time after I have invoked the
> sshguard command.
>
> I am running sshguard in a screen session:
>
> # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
>
> After a while, the logging seems to stop happening:
>
> Reading a token: --accepting rule at line 133 (" not allowed because
> none of user's groups are listed in AllowGroups")
> Next token is token SSH_NOTALLOWEDSUFF ()
> Shifting token SSH_NOTALLOWEDSUFF ()
> Entering state 71
> Reducing stack by rule 32 (line 275):
> $1 = token SSH_NOTALLOWEDPREF ()
> $2 = nterm addr ()
> $3 = token SSH_NOTALLOWEDSUFF ()
> -> $$ = nterm ssh_illegaluser ()
> Stack now 0 1
> Entering state 31
> Reducing stack by rule 26 (line 263):
> $1 = nterm ssh_illegaluser ()
> -> $$ = nterm sshmsg ()
> Stack now 0 1
> Entering state 30
> Reducing stack by rule 11 (line 169):
> $1 = nterm sshmsg ()
> -> $$ = nterm msg_single ()
> Stack now 0 1
> Entering state 28
> Reducing stack by rule 9 (line 163):
> $1 = nterm msg_single ()
> -> $$ = nterm logmsg ()
> Stack now 0 1
> Entering state 46
> Reducing stack by rule 5 (line 138):
> $1 = token SYSLOG_BANNER_PID ()
> $2 = nterm logmsg ()
>
> < nothing happens from here on even if I try to log in again using ssh >
>
> If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
> happens to the log output.
>
> "top" does not reveal excess use of CPU.
>
> Here is lsof output
>
> # lsof |grep sshguard
> sshguard 6376 root cwd DIR 3,6 4096
> 735903 /root
> sshguard 6376 root rtd DIR 3,6 4096
> 2 /
> sshguard 6376 root txt REG 3,6 371826
> 757808 /root/sshguard/sshguard
> sshguard 6376 root mem REG 3,6 1399984
> 654712 /lib/libc-2.10.1.so
> sshguard 6376 root mem REG 3,6 137284
> 654892 /lib/libpthread-2.10.1.so
> sshguard 6376 root mem REG 3,6 123168
> 654880 /lib/ld-2.10.1.so
> sshguard 6376 root 0u CHR 136,1 0t0
> 4 /dev/pts/1
> sshguard 6376 root 1w FIFO 0,5 0t0
> 11866 pipe
> sshguard 6376 root 2w FIFO 0,5 0t0
> 11866 pipe
> sshguard 6376 root 3r REG 3,8 141517
> 31962 /var/log/auth.log
> sshguard 6376 root 4r FIFO 0,5 0t0
> 14686 pipe
> sshguard 6376 root 5w FIFO 0,5 0t0
> 14686 pipe
> tee 6377 root 3w REG 3,6 37094
> 703149 /tmp/sshguard.log
>
> Here is the ps and gdb output:
>
> # ps ax |grep sshguard
> 6376 pts/1 Sl+ 0:00 sshguard/sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist
> 6377 pts/1 S+ 0:00 tee /tmp/sshguard.log
> 6754 pts/0 R+ 0:00 grep --colour=auto sshguard
>
> # gdb
> warning: Can not parse XML syscalls information; XML support was
> disabled at compile time.
> GNU gdb (Gentoo 7.0 p2) 7.0
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-pc-linux-gnu".
> For bug reporting instructions, please see:
> <http://bugs.gentoo.org/>.
> (gdb) attach 6376
> Attaching to process 6376
> Reading symbols from /root/sshguard/sshguard...done.
> Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
> [Thread debugging using libthread_db enabled]
> [New Thread 0x7f997084d910 (LWP 6380)]
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
> symbols found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> (gdb) break
> Breakpoint 1 at 0x7f9970bb593f
> (gdb) backtrace full
> #0 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> No symbol table info available.
> #1 0x0000000000403e56 in procauth_ischildof (service_code=<value
> optimized out>, pid=6453) at sshguard_procauth.c:210
> retA = <value optimized out>
> pidA = <value optimized out>
> ps2grep = {4, 5}
> pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
> retB = <value optimized out>
> pidB = <value optimized out>
> #2 procauth_isauthoritative (service_code=<value optimized out>,
> pid=6453) at sshguard_procauth.c:138
> No locals.
> #3 0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
> yystate = <value optimized out>
> yyn = 0
> yyresult = <value optimized out>
> yyerrstatus = 0
> yytoken = 16
> yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
> 28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
> 32665, 0, -11334, 28811,
> 32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
> 32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
> 28858, 32665, 0, -8081,
> 28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
> 0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
> 0, -2368, 14210, 32767, 0,
> 14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
> -2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
> 0, 24032, 101, 0, 0, 19547,
> 28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
> 28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
> 0, 0, 0, 138, 0, 0, 0, 0,
> 0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
> 32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
> 32767, 0, -23664, 100, 0, 0,
> 25386, 28812, 32665, 0}
> yyss = 0x7fff3782f600
> yyssp = 0x7fff3782f604
> yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
> out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
> bounds>, num = 6453}, {
> str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {
> str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
> num = 1891249760}, {
> str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
> bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
> str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
> {str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
> str = 0x112 <Address 0x112 out of bounds>, num = 274},
> {str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
> "\314c", num = 931328001}, {
> str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
> {str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
> num = 0}, {
> str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
> 0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
> out of bounds>,
> num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
> out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
> 0x70ba2e60 out of bounds>,
> num = 1891249760}, {str = 0x0, num = 0}, {str =
> 0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
> {str = 0x7fff3782f7ac "",
> num = 931329964}, {str = 0x7f9970ba2e60 "", num =
> 1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
> str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
> 0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
> 6544752}, {
> str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
> "H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
> "\020pf", num = 6540288}, {
> str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
> 0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
> {
> str = 0x63f930 "\340of", num = 6551856}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
> str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
> 6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
> {str = 0x0, num = 0}, {
> str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
> "", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
> {str = 0x63d208 "",
> num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
> of bounds>, num = -1}, {str = 0x7f99708f6eb0
> "H\203\304\030\303ff.\017\037\204",
> num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x63d110 "", num = 6541584}, {
> str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
> str = 0x7f99709029ac
> "I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
> num = 1888496044}, {
> str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
> ---Type <return> to continue, or q <return> to quit---
> str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
> 0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
> of bounds>, num = 4784}, {
> str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
> 0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
> 4}, {str = 0x7fff3782f32c "",
> num = 931328812}, {str = 0x7fff3782f210 "", num =
> 931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x7fff3782f300 "", num = 931328768}, {
> str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
> 931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
> 931329964}, {
> str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
> 242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
> 0x7fff3782f720 "\b\003",
> num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
> <Address 0x2 out of bounds>, num = 2}, {
> str = 0x7f99708a1a8f
> "\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
> {str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
> num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
> 931329243}, {
> str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
> str = 0x7fff3782f330 "", num = 931328816}, {str =
> 0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
> 931328752}, {
> str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
> 0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
> = 931328848}, {
> str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
> "p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
> = 0x0, num = 0}, {
> str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
> 0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
> "\340\241d", num = 931316240}, {
> str = 0x7fff3782c230 "\002", num = 931316272}, {str =
> 0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
> {str = 0x63c440 "\220\324c",
> num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
> out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
> num = 0}, {
> str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
> 0x2 <Address 0x2 out of bounds>, num = 2}, {
> str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x0, num = 0}, {
> str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
> 0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
> 0}, {str = 0x0, num = 0}, {
> str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
> = 0}, {str = 0x0, num = 0}, {
> str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
> num = 1893514675}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
> <Address 0x2 out of bounds>,
> num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
> 4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
> -1313391531}, {
> str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
> str = 0x7f9970850328
> "U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
> \241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
> ", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
> out of bounds>, num = 21}, {
> str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
> 46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
> str = 0x7fff3782f518 "`\200\373p\231\177", num =
> 931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x0, num = 0}, {
> str = 0x7fff3782f4b0 "", num = 931329200}, {str =
> 0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
> 0x7fff3782f470 "`\030\272p\231\177",
> num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
> 931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
> str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
> 0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
> = 6742320}, {
> str = 0x63b350 "\360me", num = 6533968}, {str =
> 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
> = 0x7fff3782c380 "\340\343f",
> num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
> 931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
> = 0x7fff3782c3b0 "\001",
> num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
> out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
> 6535264}, {
> str = 0x400000001 <Address 0x400000001 out of bounds>, num
> = 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
> str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
> 1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
> str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
> 1891244128}, {
> str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
> 0x400 <Address 0x400 out of bounds>, num = 1024}, {
> str = 0x7f99708bd6f5
> "H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
> 1888212725}, {
> str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {
> str = 0x7f99708be06f
> "\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
> num = 1888215151}, {
> str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
> = 10}, {str = 0x0, num = 0},
> {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
> num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
> str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
> 2090683713}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
> num = 1893514675}, {
> str = 0x7f9970ba7c9c
> "AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
> <return> to continue, or q <return> to quit---
> 254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
> "X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
> of bounds>, num = 1}, {
> str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
> {str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
> 1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
> 0x4 <Address 0x4 out of bounds>,
> num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
> bounds>, num = 1038094023}, {
> str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
> str = 0x7f99708501ec
> "\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
> \301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
> str = 0x7f9900000007 <Address 0x7f9900000007 out of
> bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
> num = 16220219}, {
> str = 0x7fff3782f570 "", num = 931329392}, {str =
> 0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
> 0x7f9970851c10 "",
> num = 1887771664}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
> "", num = 1895684888}, {
> str = 0x400f08 "realloc", num = 4198152}, {str =
> 0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
> 4197480}, {
> str = 0x500000000 <Address 0x500000000 out of bounds>, num
> = 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
> 475}, {
> str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
> 258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
> 1895687000}, {
> str = 0x7fff3782f700 "d\020\272p\231\177", num =
> 931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
> 931329736}, {
> str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
> 1038094023}, {
> str = 0x7f9970911889
> "H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
> = 1888557193}, {str = 0x0, num = 0}, {
> str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
> bounds>, num = 1}}
> yyvs = 0x7fff3782efc0
> yyvsp = 0x7fff3782efd0
> yystacksize = 200
> yyval = <value optimized out>
> yylen = 2
> #4 0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
> optimized out>) at attack_parser.y:379
> ret = <value optimized out>
> #5 0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
> tid = 140296994478352
> retv = <value optimized out>
> source_id = 4100918702
> buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
> 122.227.43.37 not allowed because none of user's groups are listed in
> AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
> \371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
>
>
> HTH ;-)
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Mij <mi...@ss...> - 2010-04-28 11:32:49
|
this should be fixed in r192 On Apr 14, 2010, at 03:51 , Robert S wrote: > Thanks. > > This seems to be an intermittent problem and can be difficult to > reproduce. It usually starts some time after I have invoked the > sshguard command. > > I am running sshguard in a screen session: > > # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f > 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w > /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log > > After a while, the logging seems to stop happening: |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X