Date: Wed, 11 Aug 2010 01:12:14 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Matt Emmerton <matt@gsicomp.on.ca> Cc: James Harrison <oscartheduck@gmail.com>, freebsd-questions@freebsd.org Subject: Re: ssh under attack - sessions in accepted state hogging CPU Message-ID: <20100810230031.L66749@sola.nimnet.asn.au> In-Reply-To: <20100810033937.BBD851065784@hub.freebsd.org> References: <20100810033937.BBD851065784@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 323, Issue 3, Message: 35 On Mon, 9 Aug 2010 23:36:57 -0400 "Matt Emmerton" <matt@gsicomp.on.ca> wrote: > > > I know there's not much I can do about the brute force attacks, but will > > > upgrading openssh avoid these stuck connections? > > > > 1. switch over to using solely RSA keys > > In the works; I have too many users to convert :( > > > 2. switch to a non-standard port > > This is not attractive, even though it would be effective. I tried this > once already and my support volume skyrocketed so I had to switch back. Matt, I've seen later responses; portknocking, tcpwrappers + denyhosts etc. The latter works, well but keeping lists of $badguys updated is becoming more intensive all the time against botnets. If you're in a position to permit only connections from a table of IP addresses, maybe subnets, there's lots you can do to block connections from elsewhere before they get to sshd (or tcpwrappers), eg with ipfw: ipfw add $rule allow tcp from "table(22)" to me 22 in recv $ext_if setup ipfw add deny $logifdesired tcp from any to me 22 in recv $ext_if setup Add keep-state, or earlier allow established connections, to taste. For users with varying IPs you can have them do a (say) POP mail ckeck or anything requiring auth, tail its log either live or from a maybe 5 minute cronjob to add $goodguys table entries, simple scripting and it's not too onerous training roaming users to (eg) check mail before login. Adding `date "+%s"` as the value for added table entries, it's easy enough deleting dynamic entries after some period of time, by cron. If you can't limit connections to just $goodguys for logistic reasons you can at least use ipfw 'limit' rules to allow only say one or two ssh connections from one IP, which should help the open connections issue. You could also impose connection limits running sshd from inetd(8): [/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] HTH, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100810230031.L66749>