From owner-freebsd-questions@FreeBSD.ORG Tue Aug 10 14:25:13 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F1031065678 for ; Tue, 10 Aug 2010 14:25:13 +0000 (UTC) (envelope-from dave@g8kbv.demon.co.uk) Received: from lon1-post-3.mail.demon.net (lon1-post-3.mail.demon.net [195.173.77.150]) by mx1.freebsd.org (Postfix) with ESMTP id 27C738FC0C for ; Tue, 10 Aug 2010 14:25:12 +0000 (UTC) Received: from dyn-62-56-94-96.dslaccess.co.uk ([62.56.94.96] helo=[192.168.33.1]) by lon1-post-3.mail.demon.net with esmtpa (AUTH g8kbv) (Exim 4.69) id 1OiplQ-0005cE-ck for freebsd-questions@freebsd.org; Tue, 10 Aug 2010 14:25:12 +0000 From: "Dave" To: freebsd-questions@freebsd.org Date: Tue, 10 Aug 2010 15:25:11 +0100 MIME-Version: 1.0 Message-ID: <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk> Priority: normal In-reply-to: <4C60F3CB.6090204@speakeasy.net> References: , <4C60F3CB.6090204@speakeasy.net> X-mailer: Pegasus Mail for Windows (4.52) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: ssh under attack - sessions in accepted state hogging CPU X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 14:25:13 -0000 On 8/9/2010 8:13 PM, Matt Emmerton wrote: > Hi all, > > I'm in the middle of dealing with a SSH brute force attack that is > relentless. I'm working on getting sshguard+ipfw in place to deal > with it, but in the meantime, my box is getting pegged because sshd > is accepting some connections which are getting stuck in [accepted] > state and eating CPU. > > I know there's not much I can do about the brute force attacks, but > will upgrading openssh avoid these stuck connections? > > root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 > sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs > 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 > 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root > 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: > [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs > 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 > 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root > 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: > [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs > 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 > 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root > 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: > [accepted] (sshd) > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME > WCPU > COMMAND > 39597 root 1 103 0 6724K 3036K RUN 3 0:28 > 35.06% sshd 39599 root 1 103 0 6724K 3036K RUN > 0 0:26 34.96% sshd 39596 root 1 103 0 6724K 3036K > RUN 0 0:27 34.77% sshd 39579 root 1 103 0 > 6724K 3036K CPU3 3 0:28 33.69% sshd 39592 root 1 > 102 0 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root > 1 102 0 6724K 3036K CPU2 2 0:27 31.88% sshd > > -- > Matt Emmerton Hi. There is a cracking/DoS technique, that tries to exhaust a servers resources, by continualy issuing connect requests, in the hope that when the stack croaks in some way, it'll somehow drop it's guard, or go off air permanently. Have you upset anyone recently? Can you not move your services to non standard IP ports, moving away from the standard ports, where all the script kiddies & bots hang out, or are your clients cast in concrete? I've got FTP, Web and SSH systems running on two sites, on very non standard ports, with next to no one "trying" to get in as a result, but maintaining full visibility to the clients that need them, and know where they are! All my standard ports (80, 21, 22 etc) show as non existant to the outside world, except on one site, where the mail server is continualy getting hammered, but the site's ISP say they cant forward mail to any other port. The users have no problems, so long as I correctly specify the port with the address to them, as in 'address:port' if I send them a link etc, or an example how to fill in a connection dialog. DJB.