From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 10 07:20:27 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C186106566C
	for <questions@freebsd.org>; Tue, 10 Aug 2010 07:20:27 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtpout028.mac.com (asmtpout028.mac.com [17.148.16.103])
	by mx1.freebsd.org (Postfix) with ESMTP id 1473A8FC1E
	for <questions@freebsd.org>; Tue, 10 Aug 2010 07:20:27 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=us-ascii
Received: from [17.151.79.170] by asmtp028.mac.com
	(Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008;
	32bit)) with ESMTPSA id <0L6X00B50AY2L470@asmtp028.mac.com> for
	questions@freebsd.org; Mon, 09 Aug 2010 23:20:27 -0700 (PDT)
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
	adjust=0
	reason=mlx engine=6.0.2-1004200000 definitions=main-1008090297
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.0.10011,1.0.148,0.0.0000
	definitions=2010-08-10_03:2010-08-10, 2010-08-10,
	1970-01-01 signatures=0
From: Chuck Swiger <cswiger@mac.com>
X-Priority: 3
In-reply-to: <ED433058084C4B0FAE9C516075BF0440@hermes>
Date: Mon, 09 Aug 2010 23:20:26 -0700
Message-id: <0EBB2174-57FA-4FE9-981F-14A47FD6F0F0@mac.com>
References: <ED433058084C4B0FAE9C516075BF0440@hermes>
To: Matt Emmerton <matt@gsicomp.on.ca>
X-Mailer: Apple Mail (2.1081)
Cc: questions@freebsd.org
Subject: Re: ssh under attack - sessions in accepted state hogging CPU
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 07:20:27 -0000

Hi, Matt--

On Aug 9, 2010, at 8:13 PM, Matt Emmerton wrote:
> I'm in the middle of dealing with a SSH brute force attack that is relentless.  I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU.
> 
> I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections?

If I wasn't allowed to require that in order to SSH to arbitrary internal machines one would need to do a VPN session, the second choice would be to install the openssh port with tcpwrappers support + denyhosts.

Regards,
-- 
-Chuck