Date: Mon, 9 Aug 2010 23:13:49 -0400 From: "Matt Emmerton" <matt@gsicomp.on.ca> To: <questions@freebsd.org> Subject: ssh under attack - sessions in accepted state hogging CPU Message-ID: <ED433058084C4B0FAE9C516075BF0440@hermes>
next in thread | raw e-mail | index | archive | help
Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 39597 root 1 103 0 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 103 0 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 103 0 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 103 0 6724K 3036K CPU3 3 0:28 33.69% sshd 39592 root 1 102 0 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 102 0 6724K 3036K CPU2 2 0:27 31.88% sshd -- Matt Emmerton
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ED433058084C4B0FAE9C516075BF0440>