Date: Tue, 10 Aug 2010 12:03:36 -0400 From: "Matt Emmerton" <matt@gsicomp.on.ca> To: "Dave" <dave@g8kbv.demon.co.uk>, <freebsd-questions@freebsd.org> Subject: Re: ssh under attack - sessions in accepted state hogging CPU Message-ID: <0D7E941EA64B4D9496F4D645BB1EDB52@hermes> References: <ED433058084C4B0FAE9C516075BF0440@hermes>, <4C60F3CB.6090204@speakeasy.net> <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 8/9/2010 8:13 PM, Matt Emmerton wrote: > >> Hi all, >> >> I'm in the middle of dealing with a SSH brute force attack that is >> relentless. I'm working on getting sshguard+ipfw in place to deal >> with it, but in the meantime, my box is getting pegged because sshd >> is accepting some connections which are getting stuck in [accepted] >> state and eating CPU. >> >> I know there's not much I can do about the brute force attacks, but >> will upgrading openssh avoid these stuck connections? > > There is a cracking/DoS technique, that tries to exhaust a servers > resources, by continualy issuing connect requests, in the hope that > when the stack croaks in some way, it'll somehow drop it's guard, or > go off air permanently. Have you upset anyone recently? Not that I know of - unless my wife counts :) > Can you not move your services to non standard IP ports, moving away > from the standard ports, where all the script kiddies & bots hang > out, or are your clients cast in concrete? Right now, they are cast in concrete. I want to move many of them to public keys, so maybe I will change the port at the same time too. > I've got FTP, Web and SSH systems running on two sites, on very non > standard ports, with next to no one "trying" to get in as a result, > but maintaining full visibility to the clients that need them, and > know where they are! All my standard ports (80, 21, 22 etc) show as > non existant to the outside world, except on one site, where the > mail server is continualy getting hammered, but the site's ISP say > they cant forward mail to any other port. I have two servers on the same IP block, and one is getting brute-forced and the other is not. I guess it's just a matter of time before the botnets seek it out. > The users have no problems, so long as I correctly specify the port > with the address to them, as in 'address:port' if I send them a link > etc, or an example how to fill in a connection dialog. I'm seriously going to consider this. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0D7E941EA64B4D9496F4D645BB1EDB52>