Date: Sun, 4 Jun 2006 08:51:48 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: David King <dking@ketralnis.com> Cc: freebsd-questions@freebsd.org Subject: Re: shmget: No space on device (sshit) Message-ID: <20060604085148.5f7c5287.wmoran@collaborativefusion.com> In-Reply-To: <0CFDA5B7-6649-4891-BB66-31D9BCB83B38@ketralnis.com> References: <0CFDA5B7-6649-4891-BB66-31D9BCB83B38@ketralnis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David King <dking@ketralnis.com> wrote:
> I'm trying to use sshit.pl from /usr/ports/secrurity/sshit, and I'm
> having some trouble with it that I think may be a bug, or a mis-
> configuration on my part.
>
> sshit is a Perl program that receives syslog messages (configured in
> syslog.conf) of the form '/failed .*from (\d+\.\d+\.\d+\.\d+) /i' to
> try to detect SSH brute-force attempts, and after X from the same IP
> address in Y minutes, it adds them to an IPFW2 table, which has a
> "deny from" rule that runs on it.
>
> sshit seems to be not working (i.e. it's never adding IP addresses to
> the ipfw2 table I specified) and dumping many of the following
> messages to /var/log/messages:
> May 31 10:03:03 melchoir syslogd: Logging subprocess 20716 (exec /usr/
> local/sbin/sshit) exited with status 28.
>
> This appears to be because of the following:
> ~# echo 'May 29 12:20:32 melchoir sshd[5707]: Failed password for
> illegal user user1 from 61.82.52.1 port 43282 ssh2' | sshit; echo
> "Error: $?"
> IPC::Shareable::SharedMem: shmget: No space left on device
> at /usr/local/lib/perl5/site_perl/5.8.8/IPC/Shareable.pm line 566
> Could not create shared memory segment: No space left on device
> at ./sshit line 295
> Error: 28
>
> As you can see, shmget seems to say that it cannot get a shared
> memory segment. However:
>
> ~% grep SYSV /usr/src/sys/i386/conf/ROUTERKERNEL
> options SYSVSHM #SYSV-style shared memory
> options SYSVMSG #SYSV-style message queues
> options SYSVSEM #SYSV-style semaphores
>
> ~% top|grep ^Mem
> Mem: 182M Active, 23M Inact, 71M Wired, 1540K Cache, 41M Buf, 28M Free
>
> ~% sysctl -a | grep ipc.*shm
> kern.ipc.shmmax: 134217728
> kern.ipc.shmmin: 1
> kern.ipc.shmmni: 192
> kern.ipc.shmseg: 128
> kern.ipc.shmall: 8192
> kern.ipc.shm_use_phys: 0
> kern.ipc.shm_allow_removed: 0
>
> (that is after I turned up shmmax)
>
> Some more potentially useful information:
>
> ~% grep sshit.pl.*v[0-9] `which sshit`
> # sshit.pl v0.5
>
> ~% uname -a
> FreeBSD <> 5.3-RELEASE-p20 FreeBSD 5.3-RELEASE-p20 #2: Fri Sep 9
> 14:11:12 PDT 2005 root@<>:/usr/obj/usr/src/sys/ROUTERKERNEL i386
>
> ~% pkg_info | grep sshit
> sshit-0.5 Checks for SSH/FTP bruteforce and blocks given IPs
>
> ~% perl -v
> This is perl, v5.8.8 built for i386-freebsd-64int
>
> If you have absolutely any idea, please let me know. I'm happy to do
> some more debugging if it helps
How about the output from 'ipcs -b'.
--
Bill Moran
That seem right to you?
Jubal Early
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060604085148.5f7c5287.wmoran>