ssh under attack - sessions in accepted state hogging CPU
Rocky Borg
rrborg at speakeasy.net
Tue Aug 10 06:38:05 UTC 2010
One thing I don't see mentioned a lot is port knocking. It's not perfect
but it does have it's uses.
Since it sounds like you have a lot of users that need to connect you
might be able to adapt it to your situation. I haven't tried this
specific port knocking sequence but you could setup a knock where if a
user attempts to connect to port 22 say 3 times (most clients should
auto retry) it then opens up port 22 to that ip and allows them to
connect to sshd. This would depend on the type of brute force being
done. A distributed botnet might only try an ip/port once or twice then
move on. This would be pretty seemless to the end user except for an
initial delay when connecting as their client retries the connection
until the specific knock threshold has been hit. It's a middle ground to
changing the port sshd is operating on. You can do this with firewall
rules or http://www.freshports.org/security/knock/. A lot of SSH
attacks are coming from large numbers of compromised hosts that make
them very hard to stop with sshguard which is pretty annoying.
On 8/9/2010 8:13 PM, Matt Emmerton wrote:
> Hi all,
>
> I'm in the middle of dealing with a SSH brute force attack that is
> relentless. I'm working on getting sshguard+ipfw in place to deal
> with it, but in the meantime, my box is getting pegged because sshd is
> accepting some connections which are getting stuck in [accepted] state
> and eating CPU.
>
> I know there's not much I can do about the brute force attacks, but
> will upgrading openssh avoid these stuck connections?
>
> root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd:
> [accepted] (sshd)
> root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd:
> [accepted] (sshd)
> root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd:
> [accepted] (sshd)
> root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd:
> [accepted] (sshd)
> root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd:
> [accepted] (sshd)
> root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd:
> [accepted] (sshd)
> root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd:
> [accepted] (sshd)
> root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd:
> [accepted] (sshd)
> root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd:
> [accepted] (sshd)
> root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd:
> [accepted] (sshd)
>
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU
> COMMAND
> 39597 root 1 103 0 6724K 3036K RUN 3 0:28
> 35.06% sshd
> 39599 root 1 103 0 6724K 3036K RUN 0 0:26
> 34.96% sshd
> 39596 root 1 103 0 6724K 3036K RUN 0 0:27
> 34.77% sshd
> 39579 root 1 103 0 6724K 3036K CPU3 3 0:28
> 33.69% sshd
> 39592 root 1 102 0 6724K 3036K RUN 2 0:27
> 32.18% sshd
> 39591 root 1 102 0 6724K 3036K CPU2 2 0:27
> 31.88% sshd
>
> --
> Matt Emmerton
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list