ssh under attack - sessions in accepted state hogging CPU

Matt Emmerton matt at
Tue Aug 10 16:21:01 UTC 2010

> On 8/9/2010 8:13 PM, Matt Emmerton wrote:
>> Hi all,
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless.  I'm working on getting sshguard+ipfw in place to deal
>> with it, but in the meantime, my box is getting pegged because sshd
>> is accepting some connections which are getting stuck in [accepted]
>> state and eating CPU.
>> I know there's not much I can do about the brute force attacks, but
>> will upgrading openssh avoid these stuck connections?
> There is a cracking/DoS technique, that tries to exhaust a servers
> resources, by continualy issuing connect requests,  in the hope that
> when the stack croaks in some way, it'll somehow drop it's guard, or
> go off air permanently.   Have you upset anyone recently?

Not that I know of - unless my wife counts :)

> Can you not move your services to non standard IP ports, moving away
> from the standard ports, where all the script kiddies & bots hang
> out, or are your clients cast in concrete?

Right now, they are cast in concrete.  I want to move many of them to public 
keys, so maybe I will change the port at the same time too.

> I've got FTP, Web and SSH systems running on two sites, on very non
> standard ports, with next to no one "trying" to get in as a result,
> but maintaining full visibility to the clients that need them, and
> know where they are!  All my standard ports (80, 21, 22 etc) show as
> non existant to the outside world, except on one site, where the
> mail server is continualy getting hammered, but the site's ISP say
> they cant forward mail to any other port.

I have two servers on the same IP block, and one is getting brute-forced and 
the other is not.  I guess it's just a matter of time before the botnets 
seek it out.

> The users have no problems, so long as I correctly specify the port
> with the address to them, as in 'address:port' if I send them a link
> etc, or an example how to fill in a connection dialog.

I'm seriously going to consider this.


More information about the freebsd-questions mailing list