From: Charlie Brady <charlieb-supervision@budge.apana.org.au>
To: Alex Efros <powerman@powerman.asdfGroup.com>
Cc: supervision@list.skarnet.org
Subject: Re: runit not collecting zombies
Date: Wed, 12 Sep 2007 13:40:07 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.64.0709121329560.24457@e-smith.charlieb.ott.istop.com> (raw)
In-Reply-To: <20070912172245.GF12043@home.power>
On Wed, 12 Sep 2007, Alex Efros wrote:
> On Wed, Sep 12, 2007 at 12:02:48PM -0400, Charlie Brady wrote:
>> No, I just haven't seen any evidence. I suspect you are misinterpreting the
>> misbehaviour of some program started from ssh, and attributing that
>> program's failures to ssh. ssh is always used to start other programs, and
>> other programs can always generate zombies. There's nothing ssh can do to
>
> I don't think it's 'other programs'. If this issue happens with
> 'other programs', then I'll probably see 'other programs' names in `ps`
> output, while I have seen '[sshd]'.
Indeed. Please remember that we haven't seen your ps output.
> I think this is the reason for ssh zombies:
>
> (14) auth.err: Sep 5 09:02:00 sshd[3133]: error: channel 0: chan_read_failed for istate 3
> (29) auth.info: Sep 5 18:13:37 sshd[1022]: Did not receive identification string from 85.17.106.138
> (3789) auth.info: Sep 6 13:27:18 sshd[5016]: Invalid user apple from 81.228.45.11
> (102) auth.info: Sep 6 13:27:52 sshd[5144]: User mysql not allowed because account is locked
> (576) auth.info: Sep 11 16:24:04 sshd[1210]: Address 66.236.207.196 maps to intra-works.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> (1) auth.info: Sep 11 16:39:13 sshd[1323]: User ldap not allowed because shell /dev/null is not executable
>
> The number in a parens is amount of lines in my log similar to shown above.
Well they're not reason for ssh zombies. They're just sshd log messages,
which won't cause zombies. Zombies are caused by programming errors.
> This is usual enough nowadays. SSH worms trying to hack our systems.
Yep, everyone sees them. Not everyone sees sshd zombies.
> My sshd has password authentication disabled, so I'm not worry much about
> these worms... but looks like they force sshd to fork and exit very
> quickly because of failed auth, and so sshd start producing unreaped
> zombies at some point.
If the parent sshd continues to run, then it can fork lots of children,
all or many of which exit very quickly, and there will still be no zombies
reparented to init. There's something more going on here. You would be
well advised to report the problem to whoever maintains the ssh which you
use and/or the ssh maintainers.
next prev parent reply other threads:[~2007-09-12 17:40 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-24 23:07 Radek Podgorny
2007-05-26 10:35 ` Alex Efros
2007-05-26 10:45 ` Alex Efros
2007-05-26 12:55 ` Charlie Brady
2007-05-26 13:03 ` Alex Efros
2007-05-26 17:01 ` Paul Jarc
2007-06-02 14:55 ` Alex Efros
2007-06-03 11:10 ` Gerrit Pape
2007-06-03 14:33 ` Alex Efros
2007-06-03 16:31 ` Gerrit Pape
2007-06-11 13:11 ` Alex Efros
2007-06-18 13:45 ` Alex Efros
2007-06-19 18:13 ` Gerrit Pape
2007-06-19 19:07 ` Alex Efros
2007-06-20 16:23 ` Gerrit Pape
2007-06-20 16:57 ` Alex Efros
2007-06-20 18:35 ` Gerrit Pape
2007-06-23 4:42 ` Alex Efros
2007-06-26 9:59 ` Gerrit Pape
2007-07-07 7:16 ` Alex Efros
2007-07-07 18:13 ` Charlie Brady
2007-07-07 19:12 ` Alex Efros
2007-07-12 14:21 ` Charlie Brady
2007-07-12 14:41 ` Alex Efros
2007-07-12 14:45 ` Charlie Brady
2007-07-12 14:57 ` Alex Efros
2007-07-12 14:42 ` Charlie Brady
2007-07-12 14:43 ` Charlie Brady
2007-07-12 14:49 ` Alex Efros
2007-07-12 15:11 ` Charlie Brady
2007-07-12 15:15 ` Alex Efros
2007-07-12 15:40 ` Charlie Brady
2007-07-15 14:47 ` Alex Efros
2007-07-15 19:07 ` Alex Efros
2007-07-15 20:18 ` George Georgalis
2007-07-15 20:31 ` Paul Jarc
2007-07-15 22:35 ` George Georgalis
2007-07-15 23:06 ` Paul Jarc
2007-07-15 23:23 ` Charlie Brady
2007-07-16 0:09 ` Alex Efros
2007-07-16 2:11 ` Charlie Brady
2007-09-12 12:53 ` Radek Podgorny
[not found] ` <47939.::ffff:77.75.72.5.1189601606.squirrel@mail.podgorny.cz>
2007-09-12 13:55 ` Charlie Brady
2007-09-12 14:35 ` Alex Efros
2007-09-12 14:55 ` Charlie Brady
2007-09-12 15:00 ` Alex Efros
2007-09-12 16:02 ` Charlie Brady
2007-09-12 16:10 ` Radek Podgorny
2007-09-12 17:22 ` Alex Efros
2007-09-12 17:40 ` Charlie Brady [this message]
2007-09-12 18:18 ` Alex Efros
2007-09-12 19:07 ` Charlie Brady
2007-09-12 19:13 ` Alex Efros
2007-09-12 19:18 ` Charlie Brady
2007-09-12 19:30 ` Alex Efros
2007-09-12 19:37 ` Charlie Brady
2007-09-15 13:36 ` Alex Efros
2007-09-15 13:57 ` Alex Efros
2007-09-15 15:20 ` Charlie Brady
2007-09-15 15:28 ` Alex Efros
2007-09-15 15:47 ` Charlie Brady
2007-09-15 16:02 ` Alex Efros
2007-09-15 15:49 ` Charlie Brady
2007-09-15 15:55 ` Alex Efros
2007-09-15 16:02 ` Charlie Brady
2007-09-15 15:36 ` Alex Efros
2007-09-15 15:58 ` Charlie Brady
2007-09-15 14:03 ` Alex Efros
2007-09-17 7:56 ` Gerrit Pape
2007-09-17 9:07 ` Radek Podgorny
2007-09-17 11:59 ` Alex Efros
2007-09-18 8:14 ` Gerrit Pape
2007-09-18 11:33 ` Alex Efros
2007-09-18 11:45 ` Laurent Bercot
2011-02-15 13:12 ` [LONG] " Laurent Bercot
2011-02-15 15:00 ` Alex Efros
2011-02-15 15:22 ` Laurent Bercot
2007-09-12 16:04 ` Radek Podgorny
[not found] ` <35517.::ffff:77.75.72.5.1189613042.squirrel@mail.podgorny.cz>
2007-09-12 17:04 ` Alex Efros
2007-09-12 19:38 ` Mike Buland
2007-09-12 20:28 ` Alex Efros
2007-09-12 20:38 ` Alex Efros
2007-09-13 1:05 ` Mike Buland
2007-09-13 8:58 ` Radek Podgorny
[not found] ` <50411.::ffff:77.75.72.5.1189673890.squirrel@mail.podgorny.cz>
2007-09-13 10:57 ` Alex Efros
2007-09-13 12:06 ` Alex Efros
2007-09-13 14:31 ` Radek Podgorny
[not found] ` <51910.::ffff:77.75.72.5.1189693860.squirrel@mail.podgorny.cz>
2007-09-13 14:51 ` Alex Efros
2007-07-16 2:24 ` George Georgalis
2007-07-01 8:43 ` Radek Podgorny
2007-07-02 8:28 ` Gerrit Pape
2007-07-02 11:23 ` Radek Podgorny
2007-07-02 12:14 ` Gerrit Pape
2007-07-02 12:42 ` Radek Podgorny
2007-07-07 4:54 ` Alex Efros
2007-06-20 19:57 ` Charlie Brady
2008-02-25 7:25 ` Alex Efros
2008-02-25 14:57 ` Charlie Brady
2008-02-25 15:23 ` Radek Podgorny
[not found] ` <59012.::ffff:77.75.72.226.1203952988.squirrel@mail.podgorny.cz>
2008-02-25 15:26 ` George Georgalis
2008-02-25 15:32 ` Charlie Brady
2008-02-25 16:17 ` Alex Efros
2008-02-25 17:20 ` Mike Buland
2008-02-25 15:27 ` Radek Podgorny
[not found] ` <34616.::ffff:77.75.72.226.1203953244.squirrel@mail.podgorny.cz>
2008-02-25 16:15 ` Alex Efros
2008-02-27 8:19 ` Bernhard Graf
2008-02-27 8:36 ` Alex Efros
2008-02-27 8:58 ` Bernhard Graf
[not found] ` <F694D808C0BB4890A12C565F68B9A691@home.internal>
2008-02-25 16:24 ` rehan khan
2008-02-25 16:27 ` Charlie Brady
[not found] ` <54B6D6D6D32D4DB685F8CA9A836076D7@home.internal>
2008-02-25 17:11 ` rehan khan
2008-02-25 19:13 ` Charlie Brady
2008-10-21 21:46 ` Alex Efros
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0709121329560.24457@e-smith.charlieb.ott.istop.com \
--to=charlieb-supervision@budge.apana.org.au \
--cc=powerman@powerman.asdfGroup.com \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).