From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1504 Path: news.gmane.org!not-for-mail From: Alex Efros Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: runit not collecting zombies Date: Wed, 12 Sep 2007 20:22:45 +0300 Organization: asdfGroup Inc., http://powerman.asdfGroup.com/ Message-ID: <20070912172245.GF12043@home.power> References: <20070716000927.GY23517@home.power> <47939.::ffff:77.75.72.5.1189601606.squirrel@mail.podgorny.cz> <20070912143557.GC12043@home.power> <20070912150047.GD12043@home.power> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1189617776 890 80.91.229.12 (12 Sep 2007 17:22:56 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 12 Sep 2007 17:22:56 +0000 (UTC) To: supervision@list.skarnet.org Original-X-From: supervision-return-1739-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Sep 12 19:22:54 2007 Return-path: Envelope-to: gcsg-supervision@gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.50) id 1IVVvK-0007xD-Px for gcsg-supervision@gmane.org; Wed, 12 Sep 2007 19:22:46 +0200 Original-Received: (qmail 13673 invoked by uid 76); 12 Sep 2007 17:23:08 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 13665 invoked from network); 12 Sep 2007 17:23:08 -0000 Mail-Followup-To: supervision@list.skarnet.org Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1504 Archived-At: Hi! On Wed, Sep 12, 2007 at 12:02:48PM -0400, Charlie Brady wrote: > No, I just haven't seen any evidence. I suspect you are misinterpreting the > misbehaviour of some program started from ssh, and attributing that > program's failures to ssh. ssh is always used to start other programs, and > other programs can always generate zombies. There's nothing ssh can do to I don't think it's 'other programs'. If this issue happens with 'other programs', then I'll probably see 'other programs' names in `ps` output, while I have seen '[sshd]'. I think this is the reason for ssh zombies: (14) auth.err: Sep 5 09:02:00 sshd[3133]: error: channel 0: chan_read_failed for istate 3 (29) auth.info: Sep 5 18:13:37 sshd[1022]: Did not receive identification string from 85.17.106.138 (3789) auth.info: Sep 6 13:27:18 sshd[5016]: Invalid user apple from 81.228.45.11 (102) auth.info: Sep 6 13:27:52 sshd[5144]: User mysql not allowed because account is locked (576) auth.info: Sep 11 16:24:04 sshd[1210]: Address 66.236.207.196 maps to intra-works.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! (1) auth.info: Sep 11 16:39:13 sshd[1323]: User ldap not allowed because shell /dev/null is not executable The number in a parens is amount of lines in my log similar to shown above. This is usual enough nowadays. SSH worms trying to hack our systems. My sshd has password authentication disabled, so I'm not worry much about these worms... but looks like they force sshd to fork and exit very quickly because of failed auth, and so sshd start producing unreaped zombies at some point. -- WBR, Alex.