Date: Tue, 10 Aug 2010 16:33:46 +0100 From: Paul Macdonald <paul@ifdnrg.com> To: freebsd-questions@freebsd.org Subject: Re: ssh under attack - sessions in accepted state hogging CPU Message-ID: <4C61715A.8010402@ifdnrg.com> In-Reply-To: <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk> References: <ED433058084C4B0FAE9C516075BF0440@hermes>, <4C60F3CB.6090204@speakeasy.net> <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/08/2010 15:25, Dave wrote: > On 8/9/2010 8:13 PM, Matt Emmerton wrote: > >> Hi all, >> >> I'm in the middle of dealing with a SSH brute force attack that is >> relentless. I'm working on getting sshguard+ipfw in place to deal >> with it, but in the meantime, my box is getting pegged because sshd >> is accepting some connections which are getting stuck in [accepted] >> state and eating CPU. >> >> I know there's not much I can do about the brute force attacks, but >> will upgrading openssh avoid these stuck connections? >> >> root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 >> sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs >> 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 >> 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root >> 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: >> [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs >> 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 >> 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root >> 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: >> [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs >> 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 >> 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root >> 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: >> [accepted] (sshd) >> >> PID USERNAME THR PRI NICE SIZE RES STATE C TIME >> WCPU >> COMMAND >> 39597 root 1 103 0 6724K 3036K RUN 3 0:28 >> 35.06% sshd 39599 root 1 103 0 6724K 3036K RUN >> 0 0:26 34.96% sshd 39596 root 1 103 0 6724K 3036K >> RUN 0 0:27 34.77% sshd 39579 root 1 103 0 >> 6724K 3036K CPU3 3 0:28 33.69% sshd 39592 root 1 >> 102 0 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root >> 1 102 0 6724K 3036K CPU2 2 0:27 31.88% sshd >> >> -- >> Matt Emmerton > Hi. > > There is a cracking/DoS technique, that tries to exhaust a servers > resources, by continualy issuing connect requests, in the hope that > when the stack croaks in some way, it'll somehow drop it's guard, or > go off air permanently. Have you upset anyone recently? > > Can you not move your services to non standard IP ports, moving away > from the standard ports, where all the script kiddies& bots hang > out, or are your clients cast in concrete? > > I've got FTP, Web and SSH systems running on two sites, on very non > standard ports, with next to no one "trying" to get in as a result, > but maintaining full visibility to the clients that need them, and > know where they are! All my standard ports (80, 21, 22 etc) show as > non existant to the outside world, except on one site, where the > mail server is continualy getting hammered, but the site's ISP say > they cant forward mail to any other port. > I'm in agreement with dave here, about ssh anyway moving ssh to a non std port makes a massive difference, do it now! Paul. -- ------------------------- Paul Macdonald IFDNRG Ltd Web and video hosting ------------------------- t: 0131 5548070 m: 07534206249 e: paul@ifdnrg.com w: http://www.ifdnrg.com ------------------------- IFDNRG 40 Maritime Street Edinburgh EH6 6SA -------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C61715A.8010402>