From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1505 Path: news.gmane.org!not-for-mail From: Charlie Brady Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: runit not collecting zombies Date: Wed, 12 Sep 2007 13:40:07 -0400 (EDT) Message-ID: References: <20070716000927.GY23517@home.power> <47939.::ffff:77.75.72.5.1189601606.squirrel@mail.podgorny.cz> <20070912143557.GC12043@home.power> <20070912150047.GD12043@home.power> <20070912172245.GF12043@home.power> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Trace: sea.gmane.org 1189618825 4725 80.91.229.12 (12 Sep 2007 17:40:25 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 12 Sep 2007 17:40:25 +0000 (UTC) Cc: supervision@list.skarnet.org To: Alex Efros Original-X-From: supervision-return-1740-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Sep 12 19:40:23 2007 Return-path: Envelope-to: gcsg-supervision@gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.50) id 1IVWC9-0004sX-Dr for gcsg-supervision@gmane.org; Wed, 12 Sep 2007 19:40:09 +0200 Original-Received: (qmail 14782 invoked by uid 76); 12 Sep 2007 17:40:31 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 14772 invoked from network); 12 Sep 2007 17:40:31 -0000 X-X-Sender: charlieb@e-smith.charlieb.ott.istop.com In-Reply-To: <20070912172245.GF12043@home.power> Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1505 Archived-At: On Wed, 12 Sep 2007, Alex Efros wrote: > On Wed, Sep 12, 2007 at 12:02:48PM -0400, Charlie Brady wrote: >> No, I just haven't seen any evidence. I suspect you are misinterpreting the >> misbehaviour of some program started from ssh, and attributing that >> program's failures to ssh. ssh is always used to start other programs, and >> other programs can always generate zombies. There's nothing ssh can do to > > I don't think it's 'other programs'. If this issue happens with > 'other programs', then I'll probably see 'other programs' names in `ps` > output, while I have seen '[sshd]'. Indeed. Please remember that we haven't seen your ps output. > I think this is the reason for ssh zombies: > > (14) auth.err: Sep 5 09:02:00 sshd[3133]: error: channel 0: chan_read_failed for istate 3 > (29) auth.info: Sep 5 18:13:37 sshd[1022]: Did not receive identification string from 85.17.106.138 > (3789) auth.info: Sep 6 13:27:18 sshd[5016]: Invalid user apple from 81.228.45.11 > (102) auth.info: Sep 6 13:27:52 sshd[5144]: User mysql not allowed because account is locked > (576) auth.info: Sep 11 16:24:04 sshd[1210]: Address 66.236.207.196 maps to intra-works.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! > (1) auth.info: Sep 11 16:39:13 sshd[1323]: User ldap not allowed because shell /dev/null is not executable > > The number in a parens is amount of lines in my log similar to shown above. Well they're not reason for ssh zombies. They're just sshd log messages, which won't cause zombies. Zombies are caused by programming errors. > This is usual enough nowadays. SSH worms trying to hack our systems. Yep, everyone sees them. Not everyone sees sshd zombies. > My sshd has password authentication disabled, so I'm not worry much about > these worms... but looks like they force sshd to fork and exit very > quickly because of failed auth, and so sshd start producing unreaped > zombies at some point. If the parent sshd continues to run, then it can fork lots of children, all or many of which exit very quickly, and there will still be no zombies reparented to init. There's something more going on here. You would be well advised to report the problem to whoever maintains the ssh which you use and/or the ssh maintainers.