Re: sshit runs out of semaphores
On Tuesday 02 December 2008 04:54:27 Bill Moran wrote: > In response to "DA Forsyth" <[EMAIL PROTECTED]>: > > Hiya > > > > I recently started (trying) to use sshit to filter the many brute > > force sshd attacks. > > > > However, it has never worked on my box. FreeBSD 7.0 p1. > > > > This morning it would only give a message (without exiting) > >Could not create semaphore set: No space left on device > > at /usr/local/sbin/sshit line 322 > > Every time it gets stopped by CTRL-C it leaves the shared memory > > behind, allocated. > > Have a look at ipcs and ipcrm, which will save you the reboots. > > > A side issue is that sshit will only filter rapid fire attacks, but I > > am also seeing 'slow fire' attacks, where an IP is repeated every 2 > > or 3 hours, but there seem to be a network of attackers because the > > name sequence is kept up across many incoming IP's. Is there any > > script for countering these attacks? > > If not I'll write one I think. > > My approach: > http://www.potentialtech.com/cms/node/16 I use denyhosts which adds the IP to a file called hosts_deny.ssh. It will keep the IP for however many days you set it for so a repeat even hours later will just get bounced. -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://people.freebsd.org/~beech X - NO Word docs in e-mail | Skype: akbeech / \ - http://www.FreeBSD.org/releases/7.0R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sshit runs out of semaphores
In response to "DA Forsyth" <[EMAIL PROTECTED]>: > Hiya > > I recently started (trying) to use sshit to filter the many brute > force sshd attacks. > > However, it has never worked on my box. FreeBSD 7.0 p1. > > This morning it would only give a message (without exiting) >Could not create semaphore set: No space left on device > at /usr/local/sbin/sshit line 322 > Every time it gets stopped by CTRL-C it leaves the shared memory > behind, allocated. Have a look at ipcs and ipcrm, which will save you the reboots. > A side issue is that sshit will only filter rapid fire attacks, but I > am also seeing 'slow fire' attacks, where an IP is repeated every 2 > or 3 hours, but there seem to be a network of attackers because the > name sequence is kept up across many incoming IP's. Is there any > script for countering these attacks? > If not I'll write one I think. My approach: http://www.potentialtech.com/cms/node/16 -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sshit runs out of semaphores
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DA Forsyth wrote: > Hiya > > I recently started (trying) to use sshit to filter the many brute > force sshd attacks. > > However, it has never worked on my box. FreeBSD 7.0 p1. > > This morning it would only give a message (without exiting) >Could not create semaphore set: No space left on device > at /usr/local/sbin/sshit line 322 > Every time it gets stopped by CTRL-C it leaves the shared memory > behind, allocated. > > I am going to reboot later and double the number of semaphores (in > loader.conf). > I am running hobbit which uses 8, leaving only 2 free. This may > solve this issue, but I'd appreciate any ideas and experienced > advice. > > A side issue is that sshit will only filter rapid fire attacks, but I > am also seeing 'slow fire' attacks, where an IP is repeated every 2 > or 3 hours, but there seem to be a network of attackers because the > name sequence is kept up across many incoming IP's. Is there any > script for countering these attacks? > If not I'll write one I think. > > > -- >DA Fo rsythNetwork Supervisor > Principal Technical Officer -- Institute for Water Research > http://www.ru.ac.za/institutes/iwr/ Hi DA, I previously used sshit to defend against SSH brute-force attacks but never saw the semaphore problem that you reported. However, I recently switched to sshguard for other reasons, and it has worked well for defending against both high-speed and slow-speed attacks. You can get more information here: http://sshguard.sourceforge.net/ http://www.freshports.org/security/sshguard-ipfw/ Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNTdC0sRouByUApARAt/uAKCkRzJ7f67aKhBxQNRrI9gI7eRu3QCeL+tA 2hG4DfmVSHFgOO+GvUiNniM= =oAa+ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
sshit runs out of semaphores
Hiya I recently started (trying) to use sshit to filter the many brute force sshd attacks. However, it has never worked on my box. FreeBSD 7.0 p1. This morning it would only give a message (without exiting) Could not create semaphore set: No space left on device at /usr/local/sbin/sshit line 322 Every time it gets stopped by CTRL-C it leaves the shared memory behind, allocated. I am going to reboot later and double the number of semaphores (in loader.conf). I am running hobbit which uses 8, leaving only 2 free. This may solve this issue, but I'd appreciate any ideas and experienced advice. A side issue is that sshit will only filter rapid fire attacks, but I am also seeing 'slow fire' attacks, where an IP is repeated every 2 or 3 hours, but there seem to be a network of attackers because the name sequence is kept up across many incoming IP's. Is there any script for countering these attacks? If not I'll write one I think. -- DA Fo rsythNetwork Supervisor Principal Technical Officer -- Institute for Water Research http://www.ru.ac.za/institutes/iwr/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
