ssh under attack - sessions in accepted state hogging CPU
Paul Macdonald
paul at ifdnrg.com
Tue Aug 10 15:33:53 UTC 2010
On 10/08/2010 15:25, Dave wrote:
> On 8/9/2010 8:13 PM, Matt Emmerton wrote:
>
>> Hi all,
>>
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless. I'm working on getting sshguard+ipfw in place to deal
>> with it, but in the meantime, my box is getting pegged because sshd
>> is accepting some connections which are getting stuck in [accepted]
>> state and eating CPU.
>>
>> I know there's not much I can do about the brute force attacks, but
>> will upgrading openssh avoid these stuck connections?
>>
>> root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91
>> sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs
>> 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1
>> 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root
>> 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd:
>> [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs
>> 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1
>> 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root
>> 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd:
>> [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs
>> 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1
>> 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root
>> 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd:
>> [accepted] (sshd)
>>
>> PID USERNAME THR PRI NICE SIZE RES STATE C TIME
>> WCPU
>> COMMAND
>> 39597 root 1 103 0 6724K 3036K RUN 3 0:28
>> 35.06% sshd 39599 root 1 103 0 6724K 3036K RUN
>> 0 0:26 34.96% sshd 39596 root 1 103 0 6724K 3036K
>> RUN 0 0:27 34.77% sshd 39579 root 1 103 0
>> 6724K 3036K CPU3 3 0:28 33.69% sshd 39592 root 1
>> 102 0 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root
>> 1 102 0 6724K 3036K CPU2 2 0:27 31.88% sshd
>>
>> --
>> Matt Emmerton
> Hi.
>
> There is a cracking/DoS technique, that tries to exhaust a servers
> resources, by continualy issuing connect requests, in the hope that
> when the stack croaks in some way, it'll somehow drop it's guard, or
> go off air permanently. Have you upset anyone recently?
>
> Can you not move your services to non standard IP ports, moving away
> from the standard ports, where all the script kiddies& bots hang
> out, or are your clients cast in concrete?
>
> I've got FTP, Web and SSH systems running on two sites, on very non
> standard ports, with next to no one "trying" to get in as a result,
> but maintaining full visibility to the clients that need them, and
> know where they are! All my standard ports (80, 21, 22 etc) show as
> non existant to the outside world, except on one site, where the
> mail server is continualy getting hammered, but the site's ISP say
> they cant forward mail to any other port.
>
I'm in agreement with dave here, about ssh anyway moving ssh to a non
std port makes a massive difference, do it now!
Paul.
--
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07534206249
e: paul at ifdnrg.com
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------
More information about the freebsd-questions
mailing list