From owner-freebsd-questions@FreeBSD.ORG Tue Dec 2 13:25:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 493B5106564A for ; Tue, 2 Dec 2008 13:25:26 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 21E298FC22 for ; Tue, 2 Dec 2008 13:25:26 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from 68-189-244-97.dhcp.oxfr.ma.charter.com ([68.189.244.97] helo=Gregory-Larkins-Computer.local) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L7VFj-0002vb-BC; Tue, 02 Dec 2008 08:25:24 -0500 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by Gregory-Larkins-Computer.local (Postfix) with ESMTP id 475AD28362E9; Tue, 2 Dec 2008 08:25:23 -0500 (EST) Message-ID: <49353742.9050400@FreeBSD.org> Date: Tue, 02 Dec 2008 08:25:22 -0500 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: d.forsyth@ru.ac.za References: <49354C7C.9611.68C7120@d.forsyth.ru.ac.za> In-Reply-To: <49354C7C.9611.68C7120@d.forsyth.ru.ac.za> X-Enigmail-Version: 0.95.7 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.6 (-) Cc: freebsd-questions@freebsd.org Subject: Re: sshit runs out of semaphores X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 13:25:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DA Forsyth wrote: > Hiya > > I recently started (trying) to use sshit to filter the many brute > force sshd attacks. > > However, it has never worked on my box. FreeBSD 7.0 p1. > > This morning it would only give a message (without exiting) > Could not create semaphore set: No space left on device > at /usr/local/sbin/sshit line 322 > Every time it gets stopped by CTRL-C it leaves the shared memory > behind, allocated. > > I am going to reboot later and double the number of semaphores (in > loader.conf). > I am running hobbit which uses 8, leaving only 2 free. This may > solve this issue, but I'd appreciate any ideas and experienced > advice. > > A side issue is that sshit will only filter rapid fire attacks, but I > am also seeing 'slow fire' attacks, where an IP is repeated every 2 > or 3 hours, but there seem to be a network of attackers because the > name sequence is kept up across many incoming IP's. Is there any > script for countering these attacks? > If not I'll write one I think. > > > -- > DA Fo rsyth Network Supervisor > Principal Technical Officer -- Institute for Water Research > http://www.ru.ac.za/institutes/iwr/ Hi DA, I previously used sshit to defend against SSH brute-force attacks but never saw the semaphore problem that you reported. However, I recently switched to sshguard for other reasons, and it has worked well for defending against both high-speed and slow-speed attacks. You can get more information here: http://sshguard.sourceforge.net/ http://www.freshports.org/security/sshguard-ipfw/ Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNTdC0sRouByUApARAt/uAKCkRzJ7f67aKhBxQNRrI9gI7eRu3QCeL+tA 2hG4DfmVSHFgOO+GvUiNniM= =oAa+ -----END PGP SIGNATURE-----