David King <[EMAIL PROTECTED]> wrote:
> I'm trying to use sshit.pl from /usr/ports/secrurity/sshit, and I'm
> having some trouble with it that I think may be a bug, or a mis-
> configuration on my part.
> sshit is a Perl program that receives syslog messages (configured in
> syslog.conf) of the form '/failed .*from (\d+\.\d+\.\d+\.\d+) /i' to
> try to detect SSH brute-force attempts, and after X from the same IP
> address in Y minutes, it adds them to an IPFW2 table, which has a
> "deny from" rule that runs on it.
> sshit seems to be not working (i.e. it's never adding IP addresses to
> the ipfw2 table I specified) and dumping many of the following
> messages to /var/log/messages:
> May 31 10:03:03 melchoir syslogd: Logging subprocess 20716 (exec /usr/
> local/sbin/sshit) exited with status 28.
> This appears to be because of the following:
> ~# echo 'May 29 12:20:32 melchoir sshd: Failed password for
> illegal user user1 from 22.214.171.124 port 43282 ssh2' | sshit; echo
> "Error: $?"
> IPC::Shareable::SharedMem: shmget: No space left on device
> at /usr/local/lib/perl5/site_perl/5.8.8/IPC/Shareable.pm line 566
> Could not create shared memory segment: No space left on device
> at ./sshit line 295
> Error: 28
> As you can see, shmget seems to say that it cannot get a shared
> memory segment. However:
> ~% grep SYSV /usr/src/sys/i386/conf/ROUTERKERNEL
> options SYSVSHM #SYSV-style shared memory
> options SYSVMSG #SYSV-style message queues
> options SYSVSEM #SYSV-style semaphores
> ~% top|grep ^Mem
> Mem: 182M Active, 23M Inact, 71M Wired, 1540K Cache, 41M Buf, 28M Free
> ~% sysctl -a | grep ipc.*shm
> kern.ipc.shmmax: 134217728
> kern.ipc.shmmin: 1
> kern.ipc.shmmni: 192
> kern.ipc.shmseg: 128
> kern.ipc.shmall: 8192
> kern.ipc.shm_use_phys: 0
> kern.ipc.shm_allow_removed: 0
> (that is after I turned up shmmax)
> Some more potentially useful information:
> ~% grep sshit.pl.*v[0-9] `which sshit`
> # sshit.pl v0.5
> ~% uname -a
> FreeBSD <> 5.3-RELEASE-p20 FreeBSD 5.3-RELEASE-p20 #2: Fri Sep 9
> 14:11:12 PDT 2005 root@<>:/usr/obj/usr/src/sys/ROUTERKERNEL i386
> ~% pkg_info | grep sshit
> sshit-0.5 Checks for SSH/FTP bruteforce and blocks given IPs
> ~% perl -v
> This is perl, v5.8.8 built for i386-freebsd-64int
> If you have absolutely any idea, please let me know. I'm happy to do
> some more debugging if it helps
How about the output from 'ipcs -b'.
That seem right to you?
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"