From owner-freebsd-questions@FreeBSD.ORG  Tue Dec  2 13:54:32 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 23DA8106564A
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Dec 2008 13:54:32 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from mail.potentialtech.com (internet.potentialtech.com
	[66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id E32898FC0C
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Dec 2008 13:54:31 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com
	(pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.potentialtech.com (Postfix) with ESMTPSA id A7F40EBC09;
	Tue,  2 Dec 2008 08:54:30 -0500 (EST)
Date: Tue, 2 Dec 2008 08:54:27 -0500
From: Bill Moran <wmoran@potentialtech.com>
To: d.forsyth@ru.ac.za
Message-Id: <20081202085427.ed5634d0.wmoran@potentialtech.com>
In-Reply-To: <49354C7C.9611.68C7120@d.forsyth.ru.ac.za>
References: <49354C7C.9611.68C7120@d.forsyth.ru.ac.za>
X-Mailer: Sylpheed 2.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: sshit runs out of semaphores
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2008 13:54:32 -0000

In response to "DA Forsyth" <d.forsyth@ru.ac.za>:

> Hiya
> 
> I recently started (trying) to use sshit to filter the many brute 
> force sshd attacks.
> 
> However, it has never worked on my box.  FreeBSD 7.0 p1.
> 
> This morning it would only give a message (without exiting)
>    Could not create semaphore set: No space left on device
>     at /usr/local/sbin/sshit line 322
> Every time it gets stopped by CTRL-C it leaves the shared memory 
> behind, allocated.

Have a look at ipcs and ipcrm, which will save you the reboots.

> A side issue is that sshit will only filter rapid fire attacks, but I 
> am also seeing 'slow fire' attacks, where an IP is repeated every 2 
> or 3 hours, but there seem to be a network of attackers because the 
> name sequence is kept up across many incoming IP's.  Is there any 
> script for countering these attacks?
> If not I'll write one I think.

My approach:
http://www.potentialtech.com/cms/node/16

-- 
Bill Moran
http://www.potentialtech.com