Re: sshit runs out of semaphores



In response to "DA Forsyth" <d.forsyth@xxxxxxxx>:

Hiya

I recently started (trying) to use sshit to filter the many brute
force sshd attacks.

However, it has never worked on my box. FreeBSD 7.0 p1.

This morning it would only give a message (without exiting)
Could not create semaphore set: No space left on device
at /usr/local/sbin/sshit line 322
Every time it gets stopped by CTRL-C it leaves the shared memory
behind, allocated.

Have a look at ipcs and ipcrm, which will save you the reboots.

A side issue is that sshit will only filter rapid fire attacks, but I
am also seeing 'slow fire' attacks, where an IP is repeated every 2
or 3 hours, but there seem to be a network of attackers because the
name sequence is kept up across many incoming IP's. Is there any
script for countering these attacks?
If not I'll write one I think.

My approach:
http://www.potentialtech.com/cms/node/16

--
Bill Moran
http://www.potentialtech.com
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies
    ... FreeBSD implements this technique in the ... TCP stack (where it is referred to as `syncookies') by default. ... allowing brute force attacks on the secrets to be feasible. ... To patch your present system: ...
    (Bugtraq)
  • RE: realpath(3) et al
    ... IBM has a stack smashing protection patch for GCC 3.3 on ... FreeBSD 4.8 available at ... > yes, it stops the current attacks, but the underlying problem that an ... > attacker can change the flow of program execution remains; ...
    (FreeBSD-Security)
  • Re: NTP security hole CVE-2013-5211?
    ... Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. ... restrict default kod nomodify notrap nopeer noquery ... We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier. ...
    (FreeBSD-Security)
  • RE: hijacking TCP connections on FreeBSD
    ... attacks nor injection attacks can adequately interrupt the packet stream. ... hijacking TCP connections on FreeBSD ... Is it possible to hijack established tcp connections on FreeBSD? ...
    (Vuln-Dev)
  • Re: sshit runs out of semaphores
    ... FreeBSD 7.0 p1. ... Could not create semaphore set: ... am also seeing 'slow fire' attacks, where an IP is repeated every 2 ... keep the IP for however many days you set it for so a repeat even hours later ...
    (freebsd-questions)