ssh under attack - sessions in accepted state hogging CPU

Matt Emmerton matt at gsicomp.on.ca
Tue Aug 10 03:30:57 UTC 2010


Hi all,

I'm in the middle of dealing with a SSH brute force attack that is 
relentless.  I'm working on getting sshguard+ipfw in place to deal with it, 
but in the meantime, my box is getting pegged because sshd is accepting some 
connections which are getting stuck in [accepted] state and eating CPU.

I know there's not much I can do about the brute force attacks, but will 
upgrading openssh avoid these stuck connections?

root     39127 35.2  0.1  6724  3036  ??  Rs   11:10PM   0:37.91 sshd: 
[accepted] (sshd)
root     39368 33.6  0.1  6724  3036  ??  Rs   11:10PM   0:22.99 sshd: 
[accepted] (sshd)
root     39138 33.1  0.1  6724  3036  ??  Rs   11:10PM   0:41.94 sshd: 
[accepted] (sshd)
root     39137 32.5  0.1  6724  3036  ??  Rs   11:10PM   0:36.56 sshd: 
[accepted] (sshd)
root     39135 31.0  0.1  6724  3036  ??  Rs   11:10PM   0:35.09 sshd: 
[accepted] (sshd)
root     39366 30.9  0.1  6724  3036  ??  Rs   11:10PM   0:23.01 sshd: 
[accepted] (sshd)
root     39132 30.8  0.1  6724  3036  ??  Rs   11:10PM   0:35.21 sshd: 
[accepted] (sshd)
root     39131 30.7  0.1  6724  3036  ??  Rs   11:10PM   0:38.07 sshd: 
[accepted] (sshd)
root     39134 30.2  0.1  6724  3036  ??  Rs   11:10PM   0:40.96 sshd: 
[accepted] (sshd)
root     39367 29.3  0.1  6724  3036  ??  Rs   11:10PM   0:22.08 sshd: 
[accepted] (sshd)

  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU 
COMMAND
39597 root             1 103    0  6724K  3036K RUN     3   0:28 35.06% sshd
39599 root             1 103    0  6724K  3036K RUN     0   0:26 34.96% sshd
39596 root             1 103    0  6724K  3036K RUN     0   0:27 34.77% sshd
39579 root             1 103    0  6724K  3036K CPU3    3   0:28 33.69% sshd
39592 root             1 102    0  6724K  3036K RUN     2   0:27 32.18% sshd
39591 root             1 102    0  6724K  3036K CPU2    2   0:27 31.88% sshd

--
Matt Emmerton 



More information about the freebsd-questions mailing list