Date: Wed, 11 Aug 2010 12:51:13 -0400 From: "Matt Emmerton" <matt@gsicomp.on.ca> To: "Erik Norgaard" <norgaard@locolomo.org>, <freebsd-questions@freebsd.org> Subject: Re: ssh under attack - sessions in accepted state hogging CPU Message-ID: <E07AF0CE3F744E23896478C7E753CDF2@hermes> References: <ED433058084C4B0FAE9C516075BF0440@hermes> <4C61811B.7070703@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 10/08/10 05.13, Matt Emmerton wrote: > >> I'm in the middle of dealing with a SSH brute force attack that is >> relentless. I'm working on getting sshguard+ipfw in place to deal with >> it, >> but in the meantime, my box is getting pegged because sshd is accepting >> some >> connections which are getting stuck in [accepted] state and eating CPU. >> >> I know there's not much I can do about the brute force attacks, but will >> upgrading openssh avoid these stuck connections? > > If the attack you're experiencing is trying to exhaust system resources by > opening a large number of connections, then you may want to toggle these > options in sshd_config: > > ClientAliveInterval > LoginGraceTime > MaxAuthTries > MaxSessions > MaxStartups > > Check the man-page. Secondly, check your logs if this attack is from a > limited range of IPs, if so, you might want to try block those ranges. > > If your users will only connect from your country, then blocking other > countries in your firewall is very effective. Thanks to everyone for their help. I did have MaxSessions set to a small number, but that essentially DoS'd my access to the server when enough sshd processes got hung. sshguard+ipfw was blocking a large number of attacks, but the other attacks that were coming in and hanging sshd weren't getting caught (because they weren't repetitive.) I have moved some of my servers to alternate ports, and on the others I tweaked some of the settings Erik suggested which has helped a lot. Thanks for all the advice. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E07AF0CE3F744E23896478C7E753CDF2>