ssh under attack - sessions in accepted state hogging CPU
matt at gsicomp.on.ca
Tue Aug 10 16:21:01 UTC 2010
> On 8/9/2010 8:13 PM, Matt Emmerton wrote:
>> Hi all,
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless. I'm working on getting sshguard+ipfw in place to deal
>> with it, but in the meantime, my box is getting pegged because sshd
>> is accepting some connections which are getting stuck in [accepted]
>> state and eating CPU.
>> I know there's not much I can do about the brute force attacks, but
>> will upgrading openssh avoid these stuck connections?
> There is a cracking/DoS technique, that tries to exhaust a servers
> resources, by continualy issuing connect requests, in the hope that
> when the stack croaks in some way, it'll somehow drop it's guard, or
> go off air permanently. Have you upset anyone recently?
Not that I know of - unless my wife counts :)
> Can you not move your services to non standard IP ports, moving away
> from the standard ports, where all the script kiddies & bots hang
> out, or are your clients cast in concrete?
Right now, they are cast in concrete. I want to move many of them to public
keys, so maybe I will change the port at the same time too.
> I've got FTP, Web and SSH systems running on two sites, on very non
> standard ports, with next to no one "trying" to get in as a result,
> but maintaining full visibility to the clients that need them, and
> know where they are! All my standard ports (80, 21, 22 etc) show as
> non existant to the outside world, except on one site, where the
> mail server is continualy getting hammered, but the site's ISP say
> they cant forward mail to any other port.
I have two servers on the same IP block, and one is getting brute-forced and
the other is not. I guess it's just a matter of time before the botnets
seek it out.
> The users have no problems, so long as I correctly specify the port
> with the address to them, as in 'address:port' if I send them a link
> etc, or an example how to fill in a connection dialog.
I'm seriously going to consider this.
More information about the freebsd-questions