ssh under attack - sessions in accepted state hogging CPU

Rocky Borg rrborg at speakeasy.net
Tue Aug 10 06:38:05 UTC 2010 

One thing I don't see mentioned a lot is port knocking. It's not perfect 
but it does have it's uses.

Since it sounds like you have a lot of users that need to connect you 
might be able to adapt it to your situation. I haven't tried this 
specific port knocking sequence but you could setup a knock where if a 
user attempts to connect to port 22 say 3 times (most clients should 
auto retry) it then opens up port 22 to that ip and allows them to 
connect to sshd. This would depend on the type of brute force being 
done. A distributed botnet might only try an ip/port once or twice then 
move on. This would be pretty seemless to the end user except for an 
initial delay when connecting as their client retries the connection 
until the specific knock threshold has been hit. It's a middle ground to 
changing the port sshd is operating on. You can do this with firewall 
rules or http://www.freshports.org/security/knock/. A lot of  SSH 
attacks are coming from large numbers of compromised hosts that make 
them very hard to stop with sshguard which is pretty annoying.

On 8/9/2010 8:13 PM, Matt Emmerton wrote:
> Hi all,
>
> I'm in the middle of dealing with a SSH brute force attack that is 
> relentless.  I'm working on getting sshguard+ipfw in place to deal 
> with it, but in the meantime, my box is getting pegged because sshd is 
> accepting some connections which are getting stuck in [accepted] state 
> and eating CPU.
>
> I know there's not much I can do about the brute force attacks, but 
> will upgrading openssh avoid these stuck connections?
>
> root     39127 35.2  0.1  6724  3036  ??  Rs   11:10PM   0:37.91 sshd: 
> [accepted] (sshd)
> root     39368 33.6  0.1  6724  3036  ??  Rs   11:10PM   0:22.99 sshd: 
> [accepted] (sshd)
> root     39138 33.1  0.1  6724  3036  ??  Rs   11:10PM   0:41.94 sshd: 
> [accepted] (sshd)
> root     39137 32.5  0.1  6724  3036  ??  Rs   11:10PM   0:36.56 sshd: 
> [accepted] (sshd)
> root     39135 31.0  0.1  6724  3036  ??  Rs   11:10PM   0:35.09 sshd: 
> [accepted] (sshd)
> root     39366 30.9  0.1  6724  3036  ??  Rs   11:10PM   0:23.01 sshd: 
> [accepted] (sshd)
> root     39132 30.8  0.1  6724  3036  ??  Rs   11:10PM   0:35.21 sshd: 
> [accepted] (sshd)
> root     39131 30.7  0.1  6724  3036  ??  Rs   11:10PM   0:38.07 sshd: 
> [accepted] (sshd)
> root     39134 30.2  0.1  6724  3036  ??  Rs   11:10PM   0:40.96 sshd: 
> [accepted] (sshd)
> root     39367 29.3  0.1  6724  3036  ??  Rs   11:10PM   0:22.08 sshd: 
> [accepted] (sshd)
>
>  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU 
> COMMAND
> 39597 root             1 103    0  6724K  3036K RUN     3   0:28 
> 35.06% sshd
> 39599 root             1 103    0  6724K  3036K RUN     0   0:26 
> 34.96% sshd
> 39596 root             1 103    0  6724K  3036K RUN     0   0:27 
> 34.77% sshd
> 39579 root             1 103    0  6724K  3036K CPU3    3   0:28 
> 33.69% sshd
> 39592 root             1 102    0  6724K  3036K RUN     2   0:27 
> 32.18% sshd
> 39591 root             1 102    0  6724K  3036K CPU2    2   0:27 
> 31.88% sshd
>
> -- 
> Matt Emmerton
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>
>

More information about the freebsd-questions mailing list