From owner-freebsd-questions@FreeBSD.ORG Tue Aug 10 16:21:00 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E15BD1065673 for ; Tue, 10 Aug 2010 16:21:00 +0000 (UTC) (envelope-from matt@gsicomp.on.ca) Received: from gsicomp.on.ca (gsicomp.on.ca [200.46.208.251]) by mx1.freebsd.org (Postfix) with ESMTP id AAE138FC0C for ; Tue, 10 Aug 2010 16:20:57 +0000 (UTC) Received: from maia.hub.org (maia-5.hub.org [200.46.204.29]) by gsicomp.on.ca (Postfix) with ESMTP id 470CFFD0529; Tue, 10 Aug 2010 16:03:35 +0000 (UTC) Received: from gsicomp.on.ca ([200.46.208.251]) by maia.hub.org (mx1.hub.org [200.46.204.29]) (amavisd-maia, port 10024) with ESMTP id 92692-08; Tue, 10 Aug 2010 16:03:35 +0000 (UTC) Received: from hermes (CPE002129cfd480-CM001ac3584898.cpe.net.cable.rogers.com [99.236.129.198]) by gsicomp.on.ca (Postfix) with SMTP id 46984FCD102; Tue, 10 Aug 2010 16:03:34 +0000 (UTC) Message-ID: <0D7E941EA64B4D9496F4D645BB1EDB52@hermes> From: "Matt Emmerton" To: "Dave" , References: , <4C60F3CB.6090204@speakeasy.net> <4C616147.30562.14C2991@dave.g8kbv.demon.co.uk> Date: Tue, 10 Aug 2010 12:03:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931 Cc: Subject: Re: ssh under attack - sessions in accepted state hogging CPU X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 16:21:01 -0000 > On 8/9/2010 8:13 PM, Matt Emmerton wrote: > >> Hi all, >> >> I'm in the middle of dealing with a SSH brute force attack that is >> relentless. I'm working on getting sshguard+ipfw in place to deal >> with it, but in the meantime, my box is getting pegged because sshd >> is accepting some connections which are getting stuck in [accepted] >> state and eating CPU. >> >> I know there's not much I can do about the brute force attacks, but >> will upgrading openssh avoid these stuck connections? > > There is a cracking/DoS technique, that tries to exhaust a servers > resources, by continualy issuing connect requests, in the hope that > when the stack croaks in some way, it'll somehow drop it's guard, or > go off air permanently. Have you upset anyone recently? Not that I know of - unless my wife counts :) > Can you not move your services to non standard IP ports, moving away > from the standard ports, where all the script kiddies & bots hang > out, or are your clients cast in concrete? Right now, they are cast in concrete. I want to move many of them to public keys, so maybe I will change the port at the same time too. > I've got FTP, Web and SSH systems running on two sites, on very non > standard ports, with next to no one "trying" to get in as a result, > but maintaining full visibility to the clients that need them, and > know where they are! All my standard ports (80, 21, 22 etc) show as > non existant to the outside world, except on one site, where the > mail server is continualy getting hammered, but the site's ISP say > they cant forward mail to any other port. I have two servers on the same IP block, and one is getting brute-forced and the other is not. I guess it's just a matter of time before the botnets seek it out. > The users have no problems, so long as I correctly specify the port > with the address to them, as in 'address:port' if I send them a link > etc, or an example how to fill in a connection dialog. I'm seriously going to consider this. -- Matt