From owner-freebsd-questions@FreeBSD.ORG Tue Aug 10 15:12:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AEE31065670 for ; Tue, 10 Aug 2010 15:12:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 455FC8FC0C for ; Tue, 10 Aug 2010 15:12:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o7AFCE4v068897; Wed, 11 Aug 2010 01:12:15 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 11 Aug 2010 01:12:14 +1000 (EST) From: Ian Smith To: Matt Emmerton In-Reply-To: <20100810033937.BBD851065784@hub.freebsd.org> Message-ID: <20100810230031.L66749@sola.nimnet.asn.au> References: <20100810033937.BBD851065784@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: James Harrison , freebsd-questions@freebsd.org Subject: Re: ssh under attack - sessions in accepted state hogging CPU X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 15:12:19 -0000 In freebsd-questions Digest, Vol 323, Issue 3, Message: 35 On Mon, 9 Aug 2010 23:36:57 -0400 "Matt Emmerton" wrote: > > > I know there's not much I can do about the brute force attacks, but will > > > upgrading openssh avoid these stuck connections? > > > > 1. switch over to using solely RSA keys > > In the works; I have too many users to convert :( > > > 2. switch to a non-standard port > > This is not attractive, even though it would be effective. I tried this > once already and my support volume skyrocketed so I had to switch back. Matt, I've seen later responses; portknocking, tcpwrappers + denyhosts etc. The latter works, well but keeping lists of $badguys updated is becoming more intensive all the time against botnets. If you're in a position to permit only connections from a table of IP addresses, maybe subnets, there's lots you can do to block connections from elsewhere before they get to sshd (or tcpwrappers), eg with ipfw: ipfw add $rule allow tcp from "table(22)" to me 22 in recv $ext_if setup ipfw add deny $logifdesired tcp from any to me 22 in recv $ext_if setup Add keep-state, or earlier allow established connections, to taste. For users with varying IPs you can have them do a (say) POP mail ckeck or anything requiring auth, tail its log either live or from a maybe 5 minute cronjob to add $goodguys table entries, simple scripting and it's not too onerous training roaming users to (eg) check mail before login. Adding `date "+%s"` as the value for added table entries, it's easy enough deleting dynamic entries after some period of time, by cron. If you can't limit connections to just $goodguys for logistic reasons you can at least use ipfw 'limit' rules to allow only say one or two ssh connections from one IP, which should help the open connections issue. You could also impose connection limits running sshd from inetd(8): [/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] HTH, Ian