ssh under attack - sessions in accepted state hogging CPU

Ian Smith smithi at
Tue Aug 10 15:12:19 UTC 2010

In freebsd-questions Digest, Vol 323, Issue 3, Message: 35
On Mon, 9 Aug 2010 23:36:57 -0400 "Matt Emmerton" <matt at> wrote: 

 > > > I know there's not much I can do about the brute force attacks, but will
 > > > upgrading openssh avoid these stuck connections?
 > >
 > > 1. switch over to using solely RSA keys
 > In the works; I have too many users to convert :(
 > > 2. switch to a non-standard port
 > This is not attractive, even though it would be effective.  I tried this 
 > once already and my support volume skyrocketed so I had to switch back.

Matt, I've seen later responses; portknocking, tcpwrappers + denyhosts 
etc.  The latter works, well but keeping lists of $badguys updated is 
becoming more intensive all the time against botnets.

If you're in a position to permit only connections from a table of IP 
addresses, maybe subnets, there's lots you can do to block connections 
from elsewhere before they get to sshd (or tcpwrappers), eg with ipfw:

ipfw add $rule allow tcp from "table(22)" to me 22 in recv $ext_if setup
ipfw add deny $logifdesired tcp from any to me 22 in recv $ext_if setup

Add keep-state, or earlier allow established connections, to taste.

For users with varying IPs you can have them do a (say) POP mail ckeck 
or anything requiring auth, tail its log either live or from a maybe 5 
minute cronjob to add $goodguys table entries, simple scripting and it's 
not too onerous training roaming users to (eg) check mail before login.

Adding `date "+%s"` as the value for added table entries, it's easy 
enough deleting dynamic entries after some period of time, by cron.

If you can't limit connections to just $goodguys for logistic reasons 
you can at least use ipfw 'limit' rules to allow only say one or two ssh 
connections from one IP, which should help the open connections issue.

You could also impose connection limits running sshd from inetd(8):

HTH, Ian

More information about the freebsd-questions mailing list