Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008 16:28:05 -0400
Mikhail Teterin <[EMAIL PROTECTED]> wrote:
> Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home"
> from anywhere in the world.
why not setup a SSL-based vpn ? lock everything down except the port of the
vpn. try openvpn.
> Although we could, I suppose, find out the
> destination-country's IP-allocation and add it before leaving, that
> would be quite tedious to manage...
geoip attached to pf rules :P has anyone done it? But I can tell you it isn't
that reliable...you want to have a way to bypass it.
b
_
{Beto|Norberto|Numard} Meijome
"Why do you sit there looking like an envelope without any address on it?"
Mark Twain
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008 13:03:09 -0700
Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> A different approach: consider putting sshd on a different port, rather
> than the default of 22. A lot of people I know do this, solely to
> decrease the number of brute-force attempts you see above; I've never
> seen any of those brute-force attacking programs portscan, then attack
> against a port which returns a OpenSSH string.
+1 - obscurity definitely doesn't ADD to security , but it removes all the
noise from your system.
Alternatively, you try port knocking ;)
> Finally, consider moving to pf instead, if you really feel ipfw is
> what's causing your machine to crash. You might be pleasantly surprised
> by the syntax, and overall administrative usability (it is significantly
> superior to ipfw, IMHO).
+1
_
{Beto|Norberto|Numard} Meijome
If Bill Gates had a dollar for every time a Windows box crashed...
.. Oh, wait a minute, he already does.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
There are many excellent suggestions on how to deal with invalid/unauthorised
access attempts via ssh. I'd used sshguard for around 8 months but recently
changed to bruteblock, both are in the ports/security. sshguard was very easy
to configure, via rc.conf arguments. Bruteblock handled the same problem
more elegantly: uses two processes one for monitoring audit.log, via a pipe and
one for maintaining the ipfw table entries, it uses the ipfw table value with
the date/time entered, and the C code is cleaner (some optimisations are
possible but this is V0.5).
If you'd like to try it here are the steps I used to get it going:
Install package
Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)
regexp =
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1 =
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# three failures in 3 minutes is blocked for a day, using ipfw2 table
10max_count = 3
within_time = 180
reset_ip = 86400
ipfw2_table_no = 10
Insert into "/etc/syslog.conf"
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock –f
/usr/local/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(10\)
to any
ipfw add 4 deny ip from any to table\(10\) Add into
/etc/rc.confbruteblockd_enable="YES"
bruteblockd_table="10"
bruteblockd_flags="-s 7200" # How frequently to review the ipfw table for
entry removal Now restart syslog, and start bruteblockd/etc/rc.d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start
Win a MacBook Air or iPod touch with Yahoo!7.
http://au.docs..yahoo.com/homepageset
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Memory Usage Stats
- Forwarded message from Sabeeh Baig <[EMAIL PROTECTED]> - > From: Sabeeh Baig <[EMAIL PROTECTED]> > To: Jeremy Chadwick <[EMAIL PROTECTED]> > Date: Thu, 21 Aug 2008 16:51:13 -0400 > Subject: Re: Memory Usage Stats > > 1) I didn't know that about swap allocation. > > 2) I know what each of the categories of memory stand for and what > role they play and how they are used, so no I don't think of free > memory like that. Actually, total free memory includes inactive as > well, since inactive keeps inactive pages for future use to improve > performance, but dynamically reallocates them if necessary. > > 3) I followed standard update procedure listed in the handbook. I > don't deviate from that, as I don't want a broken mess to deal with. > > -- > > 1) I run AMD64. > > 2) How would I get this information, as I rebuilt it over a week ago. > > 3) I will provide this information once I get home. > > On Thu, Aug 21, 2008 at 4:16 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > > On Thu, Aug 21, 2008 at 02:05:50PM -0400, Sabeeh Baig wrote: > >> I've been noticing never-before-seen highs in memory usage, since the > >> last time I rebuilt world a bout a week ago. I have 2GB of memory and > >> 2GB of swap space. According to top, a little over 1GB of memory is > >> active, 70MB free, 300MB wired, and the rest inactive. I also have > >> 59MB of swap used. > > > > The swap in use is fine; memory which is often untouched (e.g. allocated > > but then not utilised for some time) is often swapped out to disk. > > > >> If I close an application, the amount of active memory never decreases > >> and the other stats don't change either. > > > > I think you may be reading top output incorrectly, which is a common > > problem these days. I hope you're not assuming that the "Free" column > > in top defines how much memory there is available for allocation on the > > system. > > > >> The active figure can't be right even now, as I only have > >> Xfce, Xorg, screen, two zsh session, slurm, irssi, pidgin, mpd, ncmpc, > >> and irssi running. That's usually my normal session and usage has > >> been better before I recompiled. > > > >> Is it possible that top is displaying the wrong stats? > > > > Possibly -- how exactly did you rebuild your system when you said you > > "rebuilt world"? Did you follow each and every step in src/Makefile, > > including booting into single user, etc. etc.? > > > > The reason I mention this is, lots of userland utilities rely on libkvm. > > For example, you rebuilt your kernel (and the KVM structure within the > > kernel changed due to CVS commits or whatever else), but you didn't > > rebuild userland (e.g. libkvm still refers to the old KVM structure), > > then you will see very odd numbers or possibly total breakage in top, > > ps, systat, etc... > > > >> Is there any other utility I could try? > > > > systat, vmstat, and procstat (the latter only available if you're using > > a fairly recent RELENG_7 or HEAD; and it may not be of much help here, > > since it just provides a break-down of memory usage within a process) > > > >> I've tried ps auxm, but that's not exactly what I'm looking for. > > > > You could start by: > > > > 1) Stating if you're on i386 or amd64 -- it matters, > > 2) Providing top output (sorted by "res") before and after said > > rebuild, > > 3) Providing top output (sorted by "res") before and after you > > terminate a process that uses a large amount of memory. > > > > -- > > | Jeremy Chadwickjdc at parodius.com | > > | Parodius Networking http://www.parodius.com/ | > > | UNIX Systems Administrator Mountain View, CA, USA | > > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > > > > > > > -- > "UNIX is basically a simple operating system, but you have to be a > genius to understand the simplicity." > > Sabeeh Ahmed Baig > - End forwarded message - OP forgot to CC the mailing list. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008, Mikhail Teterin wrote: Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from anywhere in the world. Although we could, I suppose, find out the destination-country's IP-allocation and add it before leaving, that would be quite tedious to manage... One of my clients used to have a microwave link from my network to their office - and they were totally paranoid about remote access yet needed live IPs fr other reasons. They too needed frequent remote access from arbitary addresses. I overcame these conflicting requirements with a 2-step process. They "authorised" user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. (The system did fail where your browser was proxied, but I catered for that for the "network guys" by lettig them enter an IP address to open along with their user/pass - it just defaulted to the requesting host to make it easy) YMMV. RossW ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
Ross Wheeler написав(ла): I overcame these conflicting requirements with a 2-step process. They "authorised" user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. This approach (or port-knocking of some sort) is good, but I'm not that worried about the sshd itself -- and the /detected/ attacks against it. It is the /undetected/ attacks against other services (such as apache), that worry me, and locking-out a rogue IP-address /completely/ is what I'd like to do. So your method would not work for me -- reaching the web-page (to allow myself a way back in) will be just as impossible as reaching the ssh-port... Thanks. Yours, -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
the future of sun4v
I apologise for cross-posting. I believe that there is a general expectation by freebsd users and developers that unsupported code should not be in CVS. Although sun4v is a very interesting platform for developers doing SMP work, I simply do not have the time or energy to maintain it. If someone else would like to step up and try his hand I would be supportive of his efforts. In the likely event that no one steps forward by the time that 7.1 is released I will ask that it be moved to the Attic. Thanks, Kip ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:
#!/bin/sh
HR=`date "+%-k"`
/sbin/ipfw table 0 add $3 ${HR}
.. so each entry has a tag indicating the hour at which the block was
initiated.
At 5 to the hour, I run a simple cron job which does this to clean out
everything older than 24 hours ..
#!/bin/sh
HR=`date -v+1H "+%-k"`
/sbin/ipfw table 0 list >/tmp/xx.$$
cat /tmp/xx.$$ |
while read LINE
do
set $LINE
case "$2" in
${HR})
/sbin/ipfw table 0 delete $1
echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log
echo " fwlw_clean: removed $1 from table 0"
>>/var/log/fwlw_clean_log
esac
done
rm /tmp/xx.$$
I also have a script in /usr/local/etc/rc.d which saves the current
state in the event of an orderly shutdown and restores it on boot:
#!/bin/sh
case "$1" in
start)
cat /var/db/ipfw/cache0 | while read LINE
do
set $LINE
/sbin/ipfw table 0 add $1 $2
done
;;
stop)
/sbin/ipfw table 0 list >/var/db/ipfw/cache0
;;
restart)
$0 $DEBUG stop
$0 $DEBUG start
exit $?
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
Of course, this only works for ipv4 because of the restriction on the
ipfw table data but it's just an example,
Michael
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
Kevin Oberman wrote:
Date: Thu, 21 Aug 2008 13:38:38 -0400
From: Mikhail Teterin <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such "invalid user" attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
("|/opt/sbin/auth-log-watch").
Once in a while I manually flush these rules... I this a good (safe)
reaction?
I'm asking, because the machine (currently running 7.0 as of July 7)
hangs solid once every few weeks... My only guess is that a spike in
attacks causes "too many" ipfw-entries created, which paralyzes the
kernel due to some bug -- the machine is running natd and is the gateway
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my
self-defense mechanism is my first suspect...
Any comments? Thanks!
also, if you do this, have a single rule that uses a table
and add the addresses to the table.
Looks remarkably like sshguard (ports/security/sshguard-*). It does almost
exactly what you are doing but is written in C and has command-line
switches to set how long a system is blocked, how many attempts
constitute an attack and how long it should remember failed attempts. It
also allows the use of back-end scripts if you want it to do something
else such as generate reports (beyond an entry in /var/log/messages).
As far as the hangs, I don't believe it is from the large nu,ber of
brute force attempts as they will stop for a given host as soon as the
firewall is updated. I seldom see more than a handful of attack sources
over any short period.
Should you want to continue with your own tool, at least for IPv4,
consider using tables rather than a raft of rules. With tables, you need
only a single rule and it is there at boot time.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote: > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > > Finally, consider moving to pf instead, if you really feel ipfw is > > what's causing your machine to crash. You might be pleasantly surprised > > by the syntax, and overall administrative usability (it is significantly > > superior to ipfw, IMHO). > > In fact, pf can already do this out-of-the-box, by doing something like: > > table persist > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep > state \ > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) > > If that is not an option, I have found that security/denyhosts works > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and > host_access(5) denies them based on this) You almost certainly don't want to rate limit ssh connections, only failed ones. If you rate limit connections and use svn, you're likely to lock your self out. -- Brooks pgpCGEoUtGw9W.pgp Description: PGP signature
Re: machine hangs on occasion - correlated with ssh break-in attempts
Jeremy Chadwick написав(ла): The above looks like sshguard. Yes, several people have pointed this out. Thanks! I've personally never trusted something that *automatically* adjusts firewall rules based on data read from text logs or packets coming in off the Internet. The risks involved are insanely high. An IP participating in a detected attack like this one, may also be the source of another problem, which may not be detected... I can't afford to monitor this system at all times, hence the reliance on automatic defenses -- better to crash/reboot than be taken over... Stop for a moment and think what would happen to your box if a distributed brute-force attack (e.g. 300,000 different IPs) was launched against it; someone executing 20-30 SSH login attempts per IP. I'm willing to bet adding 300,000 individual ipfw entries would cause some serious havok on your machine (speculative: exhausted kernel memory, or at a bare minimum, exhaust the number of remaining ipfw rule entries) Yes, this is something I'm suspecting happening. But should not there be some frantic messages, when the system is getting closer to this point? There is nothing in the logs... Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from anywhere in the world. Although we could, I suppose, find out the destination-country's IP-allocation and add it before leaving, that would be quite tedious to manage... A different approach: consider putting sshd on a different port, rather than the default of 22. A lot of people I know do this, solely to decrease the number of brute-force attempts you see above; I've never seen any of those brute-force attacking programs portscan, then attack against a port which returns a OpenSSH string. That's sounds kinda lame -- and temporary... Like buying an SUV to be higher (and heavier) than other cars, this only works, until everyone has an SUV :-) Once enough people move their sshd to different ports, the next release of the ssh-attack will be doing the portscanning, no doubt... Essential liberty vs. temporary security and all that :) Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). Thanks for the suggestion... But would this solve the suspected problems with kernel memory exhaustion, etc.? Whatever the firewall method, it still needs to keep the rules memorized somewhere... Yours, -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > Finally, consider moving to pf instead, if you really feel ipfw is > what's causing your machine to crash. You might be pleasantly surprised > by the syntax, and overall administrative usability (it is significantly > superior to ipfw, IMHO). In fact, pf can already do this out-of-the-box, by doing something like: table persist pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) If that is not an option, I have found that security/denyhosts works pretty well too (it just adds IP's to /etc/hosts.deniedssh, and host_access(5) denies them based on this) Regards, -- Rink P.W. Springer- http://rink.nu "Anyway boys, this is America. Just because you get more votes doesn't mean you win." - Fox Mulder ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
Mikhail Teterin pisze:
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such "invalid user" attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
("|/opt/sbin/auth-log-watch").
Hi,
You should look at 'bruteblock' (ports/security), it has similar
fuctionality. It also provides daemon process, bruteblockd, which is
responsible for removing entries from ipfw table.
Best regards,
--
_/_/ .. Eugene Butusov
_/_/ ... www.devilka.info
_/_/ ebutusov(at)gmail(dot)com
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Memory Usage Stats
On Thu, Aug 21, 2008 at 02:05:50PM -0400, Sabeeh Baig wrote: > I've been noticing never-before-seen highs in memory usage, since the > last time I rebuilt world a bout a week ago. I have 2GB of memory and > 2GB of swap space. According to top, a little over 1GB of memory is > active, 70MB free, 300MB wired, and the rest inactive. I also have > 59MB of swap used. The swap in use is fine; memory which is often untouched (e.g. allocated but then not utilised for some time) is often swapped out to disk. > If I close an application, the amount of active memory never decreases > and the other stats don't change either. I think you may be reading top output incorrectly, which is a common problem these days. I hope you're not assuming that the "Free" column in top defines how much memory there is available for allocation on the system. > The active figure can't be right even now, as I only have > Xfce, Xorg, screen, two zsh session, slurm, irssi, pidgin, mpd, ncmpc, > and irssi running. That's usually my normal session and usage has > been better before I recompiled. > Is it possible that top is displaying the wrong stats? Possibly -- how exactly did you rebuild your system when you said you "rebuilt world"? Did you follow each and every step in src/Makefile, including booting into single user, etc. etc.? The reason I mention this is, lots of userland utilities rely on libkvm. For example, you rebuilt your kernel (and the KVM structure within the kernel changed due to CVS commits or whatever else), but you didn't rebuild userland (e.g. libkvm still refers to the old KVM structure), then you will see very odd numbers or possibly total breakage in top, ps, systat, etc... > Is there any other utility I could try? systat, vmstat, and procstat (the latter only available if you're using a fairly recent RELENG_7 or HEAD; and it may not be of much help here, since it just provides a break-down of memory usage within a process) > I've tried ps auxm, but that's not exactly what I'm looking for. You could start by: 1) Stating if you're on i386 or amd64 -- it matters, 2) Providing top output (sorted by "res") before and after said rebuild, 3) Providing top output (sorted by "res") before and after you terminate a process that uses a large amount of memory. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote:
> Hello!
>
> A machine I manage remotely for a friend comes under a distributed ssh
> break-in attack every once in a while. Annoyed (and alarmed) by the
> messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-address to
> the ipfw-rules after three such "invalid user" attempts with:
>
>ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
>
> Once in a while I manually flush these rules... I this a good (safe)
> reaction?
> I'm asking, because the machine (currently running 7.0 as of July 7)
> hangs solid once every few weeks... My only guess is that a spike in
> attacks causes "too many" ipfw-entries created, which paralyzes the
> kernel due to some bug -- the machine is running natd and is the gateway
> for the rest of the network...
> The hangs could, of course, be caused by something else entirely, but my
> self-defense mechanism is my first suspect...
>
> Any comments? Thanks!
Yes, I have quite a few comments on this matter:
The above looks like sshguard. I've personally never trusted something
that *automatically* adjusts firewall rules based on data read from text
logs or packets coming in off the Internet. The risks involved are
insanely high.
Stop for a moment and think what would happen to your box if a
distributed brute-force attack (e.g. 300,000 different IPs) was launched
against it; someone executing 20-30 SSH login attempts per IP. I'm
willing to bet adding 300,000 individual ipfw entries would cause some
serious havok on your machine (speculative: exhausted kernel memory, or
at a bare minimum, exhaust the number of remaining ipfw rule entries)
And yes, the liklihood of someone doing this is quite high.
Try re-thinking your firewall logic. Instead of "allow any, deny
specific IPs dynamically", how about "allow specific IPs, deny all
others"?
Surely you don't have that many users who SSH into the NAT router from
random public IPs all over the world, rather than via the LAN? Surely
if you yourself often SSH into your NAT router from a Blackberry device,
that you wouldn't have much of a problem adding a /19 to the allow list.
That's a hell of a lot better than allowing 0/0 and denying individual
/32s.
A different approach: consider putting sshd on a different port, rather
than the default of 22. A lot of people I know do this, solely to
decrease the number of brute-force attempts you see above; I've never
seen any of those brute-force attacking programs portscan, then attack
against a port which returns a OpenSSH string.
Finally, consider moving to pf instead, if you really feel ipfw is
what's causing your machine to crash. You might be pleasantly surprised
by the syntax, and overall administrative usability (it is significantly
superior to ipfw, IMHO).
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
I haven't explored this issue enough to speak with any authority - but
once upon a time I had an app doing tons of ipfw rule add/removes all
the time and we had no end of performance and stability problems on
that box (this would have been in 4.x or so timeline I expect). As
that approach wasn't really critical we abandoned it without really
digging into the details.
Years later a need for lots of rapid firewall changes came up again
and I drilled into it and found the use of tables was excellent for
doing this and it does the job very well. This is approach is on a
FreeBSD 6.3 box.
ipfw add 00550 deny ip from 'table(1)' to any
Then just add remove entries to table 1 via:
ipfw table 1 add 10.1.1.22/32
ipfw table 1 delete 10.1.1.22/32
show all entries in table 1 with:
ipfw table 1 list
Clear out the whole of table 1
ipfw table 1 flush
I can't be sure if this relates to your particular issue, but I would
recommend trying it out.
Neil Neely
http://neil-neely.blogspot.com
On Aug 21, 2008, at 11:38 AM, Mikhail Teterin wrote:
Hello!
A machine I manage remotely for a friend comes under a distributed
ssh break-in attack every once in a while. Annoyed (and alarmed) by
the messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from
85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from
85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from
85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from
85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-
address to the ipfw-rules after three such "invalid user" attempts
with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
("|/opt/sbin/auth-log-watch").
Once in a while I manually flush these rules... I this a good (safe)
reaction?
I'm asking, because the machine (currently running 7.0 as of July 7)
hangs solid once every few weeks... My only guess is that a spike in
attacks causes "too many" ipfw-entries created, which paralyzes the
kernel due to some bug -- the machine is running natd and is the
gateway for the rest of the network...
The hangs could, of course, be caused by something else entirely,
but my self-defense mechanism is my first suspect...
Any comments? Thanks!
-mi
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]
"
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
Mikhail Teterin <[EMAIL PROTECTED]> writes: > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address > to the ipfw-rules after three such "invalid user" attempts with: > >ipfw add 550 deny ip from ip I don't know if it will make your problem go away, but using ipfw tables for this seems to be a better idea than creating a new rule for every IP address. So you just need one rule: ipfw add 550 deny ip from table(1) And then when you want to add an IP address to the table: ipfw table 1 add You can add ranges too using the CIDR notation. -- Christian Laursen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
Neil Neely написав(ла): I haven't explored this issue enough to speak with any authority - but once upon a time I had an app doing tons of ipfw rule add/removes all the time and we had no end of performance and stability problems on that box (this would have been in 4.x or so timeline I expect). As that approach wasn't really critical we abandoned it without really digging into the details. Years later a need for lots of rapid firewall changes came up again and I drilled into it and found the use of tables was excellent for doing this and it does the job very well. This is approach is on a FreeBSD 6.3 box. ipfw add 00550 deny ip from 'table(1)' to any Then just add remove entries to table 1 via: ipfw table 1 add 10.1.1.22/32 ipfw table 1 delete 10.1.1.22/32 show all entries in table 1 with: ipfw table 1 list Clear out the whole of table 1 ipfw table 1 flush I can't be sure if this relates to your particular issue, but I would recommend trying it out. Thanks! I was not even aware of this functionality... Yes, I'll try that -- maybe, a bug in ipfw only hits once per 1000 invocations :-) -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
feeding log-messages (Re: machine hangs on occasion - correlated with ssh break-in attempts)
David Wolfskill написав(ла): While the amount of work involved was assuredly greater in that case than in yours, those of us who were actually building and running the relays in question were very unsurprised when Postfix performance improved significantly following a redesign of the application, so that /var/log/maillog was written by syslogd(8) and the Perl script was effectively fed via "tail -F". In my setup, syslogd does both -- append the message to the appropriate log-file (in this case -- /var/log/auth.log) and feed it to the script's stdin. From syslogd.conf: auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info |/opt/sbin/auth-log-watch "tail -F" seems just wrong :-) -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: machine hangs on occasion - correlated with ssh break-in attempts
> Date: Thu, 21 Aug 2008 13:38:38 -0400
> From: Mikhail Teterin <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
>
> Hello!
>
> A machine I manage remotely for a friend comes under a distributed ssh
> break-in attack every once in a while. Annoyed (and alarmed) by the
> messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-address to
> the ipfw-rules after three such "invalid user" attempts with:
>
> ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
>
> Once in a while I manually flush these rules... I this a good (safe)
> reaction?
> I'm asking, because the machine (currently running 7.0 as of July 7)
> hangs solid once every few weeks... My only guess is that a spike in
> attacks causes "too many" ipfw-entries created, which paralyzes the
> kernel due to some bug -- the machine is running natd and is the gateway
> for the rest of the network...
> The hangs could, of course, be caused by something else entirely, but my
> self-defense mechanism is my first suspect...
>
> Any comments? Thanks!
Looks remarkably like sshguard (ports/security/sshguard-*). It does almost
exactly what you are doing but is written in C and has command-line
switches to set how long a system is blocked, how many attempts
constitute an attack and how long it should remember failed attempts. It
also allows the use of back-end scripts if you want it to do something
else such as generate reports (beyond an entry in /var/log/messages).
As far as the hangs, I don't believe it is from the large nu,ber of
brute force attempts as they will stop for a given host as soon as the
firewall is updated. I seldom see more than a handful of attack sources
over any short period.
Should you want to continue with your own tool, at least for IPv4,
consider using tables rather than a raft of rules. With tables, you need
only a single rule and it is there at boot time.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
pgpQWTXEMyHIF.pgp
Description: PGP signature
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote:
> ...
> I wrote an awk-script, which adds a block of the attacking IP-address to
> the ipfw-rules after three such "invalid user" attempts with:
>
>ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
> ...
At a previous employer, we were building mail relay boxen (FreeBSD
6.0 - 6.2 timeframe); at one point, It Was Decided that rather than
having /var/log/maillog written directly by syslogd(8), syslogd(8)
would feed a Perl script that would do some "Database Things" and
then get around to appending to /var/log/maillog itself.
While the amount of work involved was assuredly greater in that case
than in yours, those of us who were actually building and running the
relays in question were very unsurprised when Postfix performance
improved significantly following a redesign of the application, so that
/var/log/maillog was written by syslogd(8) and the Perl script was
effectively fed via "tail -F".
> Once in a while I manually flush these rules... I this a good (safe)
> reaction?
I also see such things (on my home "firewall" machine); my approach
is quite a bit different. If folks are interested, I could probably
discuss it a bit, but I believe that would be, at best, tangential
to your note, and thus ought not be crafted as if it were part of
the thread -- and definitely does not warrant the cross-post.
> ...
Peace,
david
--
David H. Wolfskill [EMAIL PROTECTED]
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
pgprPFwl7PcX6.pgp
Description: PGP signature
Memory Usage Stats
I've been noticing never-before-seen highs in memory usage, since the last time I rebuilt world a bout a week ago. I have 2GB of memory and 2GB of swap space. According to top, a little over 1GB of memory is active, 70MB free, 300MB wired, and the rest inactive. I also have 59MB of swap used. If I close an application, the amount of active memory never decreases and the other stats don't change either. The active figure can't be right even now, as I only have Xfce, Xorg, screen, two zsh session, slurm, irssi, pidgin, mpd, ncmpc, and irssi running. That's usually my normal session and usage has been better before I recompiled. Is it possible that top is displaying the wrong stats? Is there any other utility I could try? I've tried ps auxm, but that's not exactly what I'm looking for. -- "UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity." Sabeeh Ahmed Baig ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
machine hangs on occasion - correlated with ssh break-in attempts
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such "invalid user" attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
("|/opt/sbin/auth-log-watch").
Once in a while I manually flush these rules... I this a good (safe)
reaction?
I'm asking, because the machine (currently running 7.0 as of July 7)
hangs solid once every few weeks... My only guess is that a spike in
attacks causes "too many" ipfw-entries created, which paralyzes the
kernel due to some bug -- the machine is running natd and is the gateway
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my
self-defense mechanism is my first suspect...
Any comments? Thanks!
-mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: udf
On August 21, 2008 10:20 am Oliver Fromme wrote: > Harald Schmalzbauer wrote: > > /dev/acd is completely broken for me since SATA drives... And burncd > > stopped working long time ago in FreeBSD 7 (ATAPI, ICHx). > > Any hope to see these optical media issues beeing fixed for 7.1? > > I haven't tried using burncd in a long time, but > cdrecord-devel and dvd+rw-tools (both from ports) > work fine for me. Be sure to have options atapicam > in your kernel. For FreeBSD 7+ (and I think 6.2+), atapicam can be loaded as a module. -- Freddie Cash [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: udf
Harald Schmalzbauer wrote: > /dev/acd is completely broken for me since SATA drives... And burncd > stopped working long time ago in FreeBSD 7 (ATAPI, ICHx). > Any hope to see these optical media issues beeing fixed for 7.1? I haven't tried using burncd in a long time, but cdrecord-devel and dvd+rw-tools (both from ports) work fine for me. Be sure to have options atapicam in your kernel. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C is quirky, flawed, and an enormous success." -- Dennis M. Ritchie. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
working around TOE bug
I dont have too many production RELENG_7 boxes post TOE MFC, but on the ones I do, apart from applying # diff -u src/sys/netinet/tcp_offload.c src/sys/netinet/tcp_offload.c.disable --- src/sys/netinet/tcp_offload.c 2008-07-31 18:25:51.0 -0400 +++ src/sys/netinet/tcp_offload.c.disable 2008-08-21 09:39:07.0 -0400 @@ -58,6 +58,8 @@ struct rtentry *rt; int error; + return (EINVAL); + /* * Look up the route used for the connection to * determine if it uses an interface capable of is there a better way to disable it ? Does having it in cause any performance issues ? ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nanobsd build problem
On Mon, Aug 18, 2008 at 08:43:22PM +, Ben Kelly wrote: > > On Mon, 18 Aug 2008 22:14:04 +0300, Dan Pelleg <[EMAIL PROTECTED]> > wrote: > > I'm trying to build nanobsd. I get the error below. Any ideas? > > > > /usr/src/gnu/lib/libgcc/../../../contrib/gcc/tsystem.h:111:18: error: > > time.h: No such file or directory > > *** Error code 1 > > Do you have WITHOUT_TOOLCHAIN set? That option currently only works for > the install target, not the build target. > > Hope that helps. > > - Ben Bingo. Unsetting it fixed the issue. Thanks! -- Dan ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Stable SATA pci card for FreeBSD 6.x/7.0
On Thu, Aug 21, 2008 at 09:49:25AM +0200, Sebastiaan van Erk wrote: > I was thinking of buying the Promise SATA300 TX4 PCI Controller. I've > searched on google, and I do see some negative posts on them in > combination with FreeBSD, however they all date back at least 2 years... > > Does anybody have positive/negative experiences using this card? I have one of these cards (not currently in use; less stuff inside my FreeBSD box at home the better), and never ran into any oddities. That was with 4 disks connected, each disk its own UFS2 filesystem. ZFS wasn't available back then. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Stable SATA pci card for FreeBSD 6.x/7.0
Hi, Cian Hughes wrote: > Sebastiaan, > Have you tried connecting your 250GB drives to the troublesome > controller? If so, does "stressing" them cause the system to panic? > > ~Cian Hughes Thanks for you reply. I have not tried stress-testing the 250GB drives on the troublesome controller. The problem with those drives is, that even though they are mirrored, the data is very important to me and I do not want it to get corrupted. I do have backups of course, but the problem with data corruption is that it often takes very long to notice... I was thinking of buying the Promise SATA300 TX4 PCI Controller. I've searched on google, and I do see some negative posts on them in combination with FreeBSD, however they all date back at least 2 years... Does anybody have positive/negative experiences using this card? Regards, Sebastiaan -- University of Bristol Medical School On 14 Aug 2008, at 10:37, Sebastiaan van Erk wrote: Thanks Jonathan, I'm starting to expect it has to be the controller as well. About 20 minutes after I posted this message yesterday (and thus 20 minutes after ad6 got disconnected - atacontrol list showed "no device present" for it) the machine crashed while writing to the remaining ad4 drive (kernel panic). I attached the logs below. I also ran the long smart self test on both drives, and no errors were found on either drive (logs also attached). Unfortunately I could not attach the new disks to my mainboard SATA because my mainboard SATA somehow hangs trying to detect them. So I cannot test if *not* using the controller is going to solve the problems, though I'm it seems logical at the moment it has to be the controller, especially if other people have had similar issues. I guess I'll be buying another controller. Regards, Sebastiaan Jonathan Groll wrote: On Wed, Aug 13, 2008 at 03:10:56PM +0200, Sebastiaan van Erk wrote: Hi, Just an update on this issue. Quick summary: I fixed the BIOS issues, the hardware monitor issues, and the rl0/rl1 watchdog timeout issues (it seems). However I'm still having problems with my SATA drives (or at least one of them). More info below. BIOS: I flashed my BIOS to the latest version about a year ago, and never noticed that there was any problem, but it turns out there was. I never reset the BIOS to default factory settings after the upgrade, and it seems the settings were corrupt. After having reset the BIOS to the "default optimized factory settings" it stopped crashing when I go into the H/W monitor and also when using healthd -d (output below): Temp.= 40.0, 36.0, 66.0; Rot.=0,0,0 Vcore = 1.44, 3.12; Volt. = 3.34, 5.00, 1.95, -0.11, -1.54 Temp.= 40.0, 36.0, 66.0; Rot.=0,0,0 Vcore = 1.44, 3.14; Volt. = 3.33, 4.97, 1.95, -0.11, -1.54 Temp.= 40.0, 36.0, 66.0; Rot.=0,0,0 Vcore = 1.44, 3.12; Volt. = 3.34, 4.97, 1.95, -0.11, -1.54 Temp.= 40.0, 36.0, 66.0; Rot.=0,0,0 Vcore = 1.44, 3.12; Volt. = 3.34, 5.00, 1.95, -0.11, -1.54 Temp.= 40.0, 36.0, 66.0; Rot.=0,0,0 Vcore = 1.44, 3.12; Volt. = 3.34, 5.00, 1.95, -0.11, -1.54 This also seems to have fixed the rl0 watchdog timeout problems. I no longer see those in my logs. SATA DRIVES: I'm still having problems with the SATA drives. I tried connecting the 1TB Samsung drives to my mainboard, but then the box hangs when booting with the "Detecting IDE drives" message. The regular (PATA) IDE drives are detected first, and then it repeats the "Detecting IDE drives" message to detect the sata drives, and hangs. When I connect my 250GB SATA drives to my mainboard they detect fine, and the box boots normally. I did another rsync of my old mirror (the 250GB disks) to the new mirror (1TB disks), but again one of the disks got detached. This time there are no other messages in the log, the only thing I see is the following: Aug 13 14:35:27 piglet su: sebster to root on /dev/ttyp5 Aug 13 14:55:38 piglet kernel: ad6: FAILURE - device detached Aug 13 14:55:38 piglet kernel: subdisk6: detached Aug 13 14:55:38 piglet kernel: ad6: detached Aug 13 14:55:38 piglet kernel: GEOM_MIRROR: Device gm1: provider ad6 disconnected. Aug 13 15:00:00 piglet newsyslog[1800]: logfile turned over due to size>100K (unfortunate that the log file just got rotated, but in the new log file there is nothing execpt the one expected line: Aug 13 15:00:00 piglet newsyslog[1800]: logfile turned over due to size>100K So, nothing after the disconnect... The questions I have now is: 1) Could an upgrade to FreeBSD 7-STABLE fix the issue (it's a LOT of work for me, but I'll do it if there are SATA driver issues fixed). I suspect the problem may be the SiI driver in Freebsd. As a reference point, I've had a similar problem, even on 7-STABLE, but with sparc64 hardware (see earlier post in this thread). It'll probably be simplest for you to just buy another controller of another brand. On the other hand, it'll be worth kn
