ssh under attack - sessions in accepted state hogging CPU
smithi at nimnet.asn.au
Tue Aug 10 15:12:19 UTC 2010
In freebsd-questions Digest, Vol 323, Issue 3, Message: 35
On Mon, 9 Aug 2010 23:36:57 -0400 "Matt Emmerton" <matt at gsicomp.on.ca> wrote:
> > > I know there's not much I can do about the brute force attacks, but will
> > > upgrading openssh avoid these stuck connections?
> > 1. switch over to using solely RSA keys
> In the works; I have too many users to convert :(
> > 2. switch to a non-standard port
> This is not attractive, even though it would be effective. I tried this
> once already and my support volume skyrocketed so I had to switch back.
Matt, I've seen later responses; portknocking, tcpwrappers + denyhosts
etc. The latter works, well but keeping lists of $badguys updated is
becoming more intensive all the time against botnets.
If you're in a position to permit only connections from a table of IP
addresses, maybe subnets, there's lots you can do to block connections
from elsewhere before they get to sshd (or tcpwrappers), eg with ipfw:
ipfw add $rule allow tcp from "table(22)" to me 22 in recv $ext_if setup
ipfw add deny $logifdesired tcp from any to me 22 in recv $ext_if setup
Add keep-state, or earlier allow established connections, to taste.
For users with varying IPs you can have them do a (say) POP mail ckeck
or anything requiring auth, tail its log either live or from a maybe 5
minute cronjob to add $goodguys table entries, simple scripting and it's
not too onerous training roaming users to (eg) check mail before login.
Adding `date "+%s"` as the value for added table entries, it's easy
enough deleting dynamic entries after some period of time, by cron.
If you can't limit connections to just $goodguys for logistic reasons
you can at least use ipfw 'limit' rules to allow only say one or two ssh
connections from one IP, which should help the open connections issue.
You could also impose connection limits running sshd from inetd(8):
More information about the freebsd-questions