From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 10 15:33:53 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 891DF1065673
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 15:33:53 +0000 (UTC) (envelope-from paul@ifdnrg.com)
Received: from ifdnrg20.ifdnrg.com (outbound.ifdnrg.com [195.66.148.241])
	by mx1.freebsd.org (Postfix) with ESMTP id 3DC408FC1D
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 15:33:52 +0000 (UTC)
Received: from [192.168.1.131] (93-97-172-73.zone5.bethere.co.uk
	[93.97.172.73]) (authenticated bits=0)
	by ifdnrg20.ifdnrg.com (8.14.4/8.14.3) with ESMTP id o7AFXpij052207
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 16:33:51 +0100 (BST) (envelope-from paul@ifdnrg.com)
Message-ID: <4C61715A.8010402@ifdnrg.com>
Date: Tue, 10 Aug 2010 16:33:46 +0100
From: Paul Macdonald <paul@ifdnrg.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB;
	rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <ED433058084C4B0FAE9C516075BF0440@hermes>,
	<4C60F3CB.6090204@speakeasy.net>
	<4C616147.30562.14C2991@dave.g8kbv.demon.co.uk>
In-Reply-To: <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: ssh under attack - sessions in accepted state hogging CPU
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 15:33:53 -0000

  On 10/08/2010 15:25, Dave wrote:
> On 8/9/2010 8:13 PM, Matt Emmerton wrote:
>
>> Hi all,
>>
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless.  I'm working on getting sshguard+ipfw in place to deal
>> with it, but in the meantime, my box is getting pegged because sshd
>> is accepting some connections which are getting stuck in [accepted]
>> state and eating CPU.
>>
>> I know there's not much I can do about the brute force attacks, but
>> will upgrading openssh avoid these stuck connections?
>>
>> root     39127 35.2  0.1  6724  3036  ??  Rs   11:10PM   0:37.91
>> sshd: [accepted] (sshd) root     39368 33.6  0.1  6724  3036  ??  Rs
>>    11:10PM   0:22.99 sshd: [accepted] (sshd) root     39138 33.1  0.1
>>   6724  3036  ??  Rs   11:10PM   0:41.94 sshd: [accepted] (sshd) root
>>      39137 32.5  0.1  6724  3036  ??  Rs   11:10PM   0:36.56 sshd:
>> [accepted] (sshd) root     39135 31.0  0.1  6724  3036  ??  Rs
>> 11:10PM   0:35.09 sshd: [accepted] (sshd) root     39366 30.9  0.1
>> 6724  3036  ??  Rs   11:10PM   0:23.01 sshd: [accepted] (sshd) root
>>     39132 30.8  0.1  6724  3036  ??  Rs   11:10PM   0:35.21 sshd:
>> [accepted] (sshd) root     39131 30.7  0.1  6724  3036  ??  Rs
>> 11:10PM   0:38.07 sshd: [accepted] (sshd) root     39134 30.2  0.1
>> 6724  3036  ??  Rs   11:10PM   0:40.96 sshd: [accepted] (sshd) root
>>     39367 29.3  0.1  6724  3036  ??  Rs   11:10PM   0:22.08 sshd:
>> [accepted] (sshd)
>>
>>   PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME
>>   WCPU
>> COMMAND
>> 39597 root             1 103    0  6724K  3036K RUN     3   0:28
>> 35.06% sshd 39599 root             1 103    0  6724K  3036K RUN
>> 0   0:26 34.96% sshd 39596 root             1 103    0  6724K  3036K
>> RUN     0   0:27 34.77% sshd 39579 root             1 103    0
>> 6724K  3036K CPU3    3   0:28 33.69% sshd 39592 root             1
>> 102    0  6724K  3036K RUN     2   0:27 32.18% sshd 39591 root
>>        1 102    0  6724K  3036K CPU2    2   0:27 31.88% sshd
>>
>> -- 
>> Matt Emmerton
> Hi.
>
> There is a cracking/DoS technique, that tries to exhaust a servers
> resources, by continualy issuing connect requests,  in the hope that
> when the stack croaks in some way, it'll somehow drop it's guard, or
> go off air permanently.   Have you upset anyone recently?
>
> Can you not move your services to non standard IP ports, moving away
> from the standard ports, where all the script kiddies&  bots hang
> out, or are your clients cast in concrete?
>
> I've got FTP, Web and SSH systems running on two sites, on very non
> standard ports, with next to no one "trying" to get in as a result,
> but maintaining full visibility to the clients that need them, and
> know where they are!  All my standard ports (80, 21, 22 etc) show as
> non existant to the outside world, except on one site, where the
> mail server is continualy getting hammered, but the site's ISP say
> they cant forward mail to any other port.
>
I'm in agreement with dave here, about ssh anyway moving ssh to a non 
std port makes a massive difference, do it now!

Paul.

-- 
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07534206249
e: paul@ifdnrg.com
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------