sshguard duplicates processes multiple times if run from syslogd

in /etc/syslog.conf:

auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 20 -p 21600 -s 604800 -l - -l /var/log/exim/rejectlog -b 20:/var/db/sshguard.blacklist

after a while lots of parallel sshguard processes are seen (see below)

and then, attempt to edit ipfw table in parallel slow downs the system dramatically, and leads to denial of service

$ pstree
...
 |-+= 55514 root /usr/sbin/syslogd
 | |-+= 08592 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 08594 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 08595 root /usr/local/libexec/sshg-parser
 | | |--- 08596 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 08597 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 08598 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 13154 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 13156 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 13157 root /usr/local/libexec/sshg-parser
 | | |--- 13158 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 13159 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 13160 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 17958 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 17959 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 17960 root /usr/local/libexec/sshg-parser
 | | |--- 17961 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 17962 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 17963 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 25118 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 25120 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 25121 root /usr/local/libexec/sshg-parser
 | | |--- 25122 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 25123 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 25124 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 29769 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 29771 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 29772 root /usr/local/libexec/sshg-parser
 | | |--- 29773 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 29774 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 29775 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 34686 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 34688 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 34689 root /usr/local/libexec/sshg-parser
 | | |--- 34690 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 34691 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 34692 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 42812 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 42813 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 42814 root /usr/local/libexec/sshg-parser
 | | |--- 42815 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 42816 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 42817 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 47486 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 47488 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 47489 root /usr/local/libexec/sshg-parser
 | | |--- 47490 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 47491 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 47492 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 52566 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 52571 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 52572 root /usr/local/libexec/sshg-parser
 | | |--- 52573 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 52574 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 52575 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 55577 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 55579 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 55580 root /usr/local/libexec/sshg-parser
 | | |--- 55581 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 55582 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 55583 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 60880 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 60881 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 60882 root /usr/local/libexec/sshg-parser
 | | |--- 60883 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 60884 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 60885 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 65563 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 65564 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 65565 root /usr/local/libexec/sshg-parser
 | | |--- 65566 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 65567 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 65568 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 71632 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 71634 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 71635 root /usr/local/libexec/sshg-parser
 | | |--- 71636 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 71637 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 71638 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 77174 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 77176 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 77177 root /usr/local/libexec/sshg-parser
 | | |--- 77178 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 77179 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 77180 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 81813 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 81814 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 81815 root /usr/local/libexec/sshg-parser
 | | |--- 81816 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 81817 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 81818 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 89332 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 89334 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 89335 root /usr/local/libexec/sshg-parser
 | | |--- 89336 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 89337 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 89338 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | |-+= 94871 root /bin/sh /usr/local/sbin/sshguard ...
 | | |--- 94873 root tail -F -n 0 - /var/log/exim/rejectlog
 | | |--- 94874 root /usr/local/libexec/sshg-parser
 | | |--- 94875 root /usr/local/libexec/sshg-blocker ...
 | | \-+- 94876 root /bin/sh /usr/local/sbin/sshguard ...
 | |   \--- 94877 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
 | \-+= 99516 root /bin/sh /usr/local/sbin/sshguard ...
 |   |--- 99523 root tail -F -n 0 - /var/log/exim/rejectlog
 |   |--- 99524 root /usr/local/libexec/sshg-parser
 |   |--- 99525 root /usr/local/libexec/sshg-blocker ...
 |   \-+- 99526 root /bin/sh /usr/local/sbin/sshguard ...
 |     \--- 99527 root /bin/sh /usr/local/libexec/sshg-fw-ipfw
...

lsof for sshguard shell processes shows different pipes for each:

sh      8592 root    0u  PIPE 0xfffff801ef2da5f0    32768        ->0xfffff801ef2da758, cnt=16738, in=16738
sh      13154 root    0u  PIPE 0xfffff801017322f8    32768        ->0xfffff80101732460, cnt=18704, in=18704
sh      17958 root    0u  PIPE 0xfffff80067624be0    65536        ->0xfffff80067624d48, cnt=50625, in=50625
sh      25118 root    0u  PIPE 0xfffff801ebcab8e8    65536        ->0xfffff801ebcaba50, cnt=65506, in=65506
sh      29769 root    0u  PIPE 0xfffff80127a425f0    65536        ->0xfffff80127a42758, cnt=65417, in=65417
sh      34686 root    0u  PIPE 0xfffff802117c98e8    65536        ->0xfffff802117c9a50, cnt=65465, in=65465
sh      42812 root    0u  PIPE 0xfffff801084908e8    65536        ->0xfffff80108490a50, cnt=65360, in=65360
sh      47486 root    0u  PIPE 0xfffff80067624000    65536        ->0xfffff80067624168, cnt=65493, in=65493
sh      52566 root    0u  PIPE 0xfffff801ebcaa000    65536        ->0xfffff801ebcaa168, cnt=65490, in=65490
sh      55577 root    0u  PIPE 0xfffff801bc436be0    16384        ->0xfffff801bc436d48, cnt=2592, in=2592
sh      60880 root    0u  PIPE 0xfffff80020928000    16384        ->0xfffff80020928168, cnt=14987, in=14987
sh      65563 root    0u  PIPE 0xfffff800676245f0    16384        ->0xfffff80067624758, cnt=12085, in=12085
sh      71632 root    0u  PIPE 0xfffff801017325f0    65536        ->0xfffff80101732758, cnt=65500, in=65500
sh      71686 root    0u  PIPE 0xfffff80101733be0    16384        ->0xfffff80101733d48, cnt=12909, in=12909
sh      77174 root    0u  PIPE 0xfffff800114ef2f8    65536        ->0xfffff800114ef460, cnt=65442, in=65442
sh      81813 root    0u  PIPE 0xfffff801ebcaa5f0    65536        ->0xfffff801ebcaa758, cnt=65505, in=65505
sh      89332 root    0u  PIPE 0xfffff80014ed5000    65536        ->0xfffff80014ed5168, cnt=65420, in=65420
sh      94871 root    0u  PIPE 0xfffff800676258e8    65536        ->0xfffff80067625a50, cnt=65501, in=65501
sh      99516 root    0u  PIPE 0xfffff801084902f8    65536        ->0xfffff80108490460, cnt=65500, in=65500

But syslog has only one pipe opened:

$ lsof -p 55514 | fgrep PIPE
syslogd 55514 root   32u  PIPE 0xfffff8017ac8c460         0         ->0xfffff8017ac8c2f8

Looks like shell script does not handle properly closing of the pipe and all child processes remain running after syslog reopens pipe

That was worked before properly

$ uname -a
FreeBSD srv 11.2-RELEASE-p1 FreeBSD 11.2-RELEASE-p1 #5 r337530: Thu Aug  9 15:22:16 MSK 2018     root@srv:/usr/obj/usr/src/sys/SRV  amd64

Comments (11)