ssh under attack - sessions in accepted state hogging CPU

Dave dave at g8kbv.demon.co.uk
Tue Aug 10 14:25:13 UTC 2010


On 8/9/2010 8:13 PM, Matt Emmerton wrote:

> Hi all,
>
> I'm in the middle of dealing with a SSH brute force attack that is
> relentless.  I'm working on getting sshguard+ipfw in place to deal
> with it, but in the meantime, my box is getting pegged because sshd
> is accepting some connections which are getting stuck in [accepted]
> state and eating CPU.
>
> I know there's not much I can do about the brute force attacks, but
> will upgrading openssh avoid these stuck connections?
>
> root     39127 35.2  0.1  6724  3036  ??  Rs   11:10PM   0:37.91
> sshd: [accepted] (sshd) root     39368 33.6  0.1  6724  3036  ??  Rs
>   11:10PM   0:22.99 sshd: [accepted] (sshd) root     39138 33.1  0.1
>  6724  3036  ??  Rs   11:10PM   0:41.94 sshd: [accepted] (sshd) root
>     39137 32.5  0.1  6724  3036  ??  Rs   11:10PM   0:36.56 sshd:
> [accepted] (sshd) root     39135 31.0  0.1  6724  3036  ??  Rs  
> 11:10PM   0:35.09 sshd: [accepted] (sshd) root     39366 30.9  0.1 
> 6724  3036  ??  Rs   11:10PM   0:23.01 sshd: [accepted] (sshd) root 
>    39132 30.8  0.1  6724  3036  ??  Rs   11:10PM   0:35.21 sshd:
> [accepted] (sshd) root     39131 30.7  0.1  6724  3036  ??  Rs  
> 11:10PM   0:38.07 sshd: [accepted] (sshd) root     39134 30.2  0.1 
> 6724  3036  ??  Rs   11:10PM   0:40.96 sshd: [accepted] (sshd) root 
>    39367 29.3  0.1  6724  3036  ??  Rs   11:10PM   0:22.08 sshd:
> [accepted] (sshd)
>
>  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME  
>  WCPU 
> COMMAND
> 39597 root             1 103    0  6724K  3036K RUN     3   0:28
> 35.06% sshd 39599 root             1 103    0  6724K  3036K RUN    
> 0   0:26 34.96% sshd 39596 root             1 103    0  6724K  3036K
> RUN     0   0:27 34.77% sshd 39579 root             1 103    0 
> 6724K  3036K CPU3    3   0:28 33.69% sshd 39592 root             1
> 102    0  6724K  3036K RUN     2   0:27 32.18% sshd 39591 root      
>       1 102    0  6724K  3036K CPU2    2   0:27 31.88% sshd
>
> -- 
> Matt Emmerton

Hi.

There is a cracking/DoS technique, that tries to exhaust a servers 
resources, by continualy issuing connect requests,  in the hope that 
when the stack croaks in some way, it'll somehow drop it's guard, or 
go off air permanently.   Have you upset anyone recently?

Can you not move your services to non standard IP ports, moving away 
from the standard ports, where all the script kiddies & bots hang 
out, or are your clients cast in concrete?

I've got FTP, Web and SSH systems running on two sites, on very non 
standard ports, with next to no one "trying" to get in as a result, 
but maintaining full visibility to the clients that need them, and 
know where they are!  All my standard ports (80, 21, 22 etc) show as 
non existant to the outside world, except on one site, where the 
mail server is continualy getting hammered, but the site's ISP say 
they cant forward mail to any other port.

The users have no problems, so long as I correctly specify the port 
with the address to them, as in 'address:port' if I send them a link 
etc, or an example how to fill in a connection dialog.

DJB.





More information about the freebsd-questions mailing list