David King <[EMAIL PROTECTED]> wrote:

> I'm trying to use sshit.pl from /usr/ports/secrurity/sshit, and I'm  
> having some trouble with it that I think may be a bug, or a mis- 
> configuration on my part.
> 
> sshit is a Perl program that receives syslog messages (configured in  
> syslog.conf) of the form '/failed .*from (\d+\.\d+\.\d+\.\d+) /i' to  
> try to detect SSH brute-force attempts, and after X from the same IP  
> address in Y minutes, it adds them to an IPFW2 table, which has a  
> "deny from" rule that runs on it.
> 
> sshit seems to be not working (i.e. it's never adding IP addresses to  
> the ipfw2 table I specified) and dumping many of the following  
> messages to /var/log/messages:
> May 31 10:03:03 melchoir syslogd: Logging subprocess 20716 (exec /usr/ 
> local/sbin/sshit) exited with status 28.
> 
> This appears to be because of the following:
> ~# echo 'May 29 12:20:32 melchoir sshd[5707]: Failed password for  
> illegal user user1 from 61.82.52.1 port 43282 ssh2' | sshit; echo  
> "Error: $?"
> IPC::Shareable::SharedMem: shmget: No space left on device
> at /usr/local/lib/perl5/site_perl/5.8.8/IPC/Shareable.pm line 566
> Could not create shared memory segment: No space left on device
> at ./sshit line 295
> Error: 28
> 
> As you can see, shmget seems to say that it cannot get a shared  
> memory segment. However:
> 
> ~% grep SYSV /usr/src/sys/i386/conf/ROUTERKERNEL
> options         SYSVSHM                 #SYSV-style shared memory
> options         SYSVMSG                 #SYSV-style message queues
> options         SYSVSEM                 #SYSV-style semaphores
> 
> ~% top|grep ^Mem
> Mem: 182M Active, 23M Inact, 71M Wired, 1540K Cache, 41M Buf, 28M Free
> 
> ~% sysctl -a | grep ipc.*shm
> kern.ipc.shmmax: 134217728
> kern.ipc.shmmin: 1
> kern.ipc.shmmni: 192
> kern.ipc.shmseg: 128
> kern.ipc.shmall: 8192
> kern.ipc.shm_use_phys: 0
> kern.ipc.shm_allow_removed: 0
> 
> (that is after I turned up shmmax)
> 
> Some more potentially useful information:
> 
> ~% grep sshit.pl.*v[0-9] `which sshit`
> #  sshit.pl  v0.5
> 
> ~% uname -a
> FreeBSD <> 5.3-RELEASE-p20 FreeBSD 5.3-RELEASE-p20 #2: Fri Sep  9  
> 14:11:12 PDT 2005     root@<>:/usr/obj/usr/src/sys/ROUTERKERNEL  i386
> 
> ~% pkg_info | grep sshit
> sshit-0.5           Checks for SSH/FTP bruteforce and blocks given IPs
> 
> ~% perl -v
> This is perl, v5.8.8 built for i386-freebsd-64int
> 
> If you have absolutely any idea, please let me know. I'm happy to do  
> some more debugging if it helps

How about the output from 'ipcs -b'.

-- 
Bill Moran

That seem right to you?

        Jubal Early

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to