ssh under attack - sessions in accepted state hogging CPU

Matt Emmerton matt at
Wed Aug 11 16:51:16 UTC 2010

> On 10/08/10 05.13, Matt Emmerton wrote:
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless.  I'm working on getting sshguard+ipfw in place to deal with 
>> it,
>> but in the meantime, my box is getting pegged because sshd is accepting 
>> some
>> connections which are getting stuck in [accepted] state and eating CPU.
>> I know there's not much I can do about the brute force attacks, but will
>> upgrading openssh avoid these stuck connections?
> If the attack you're experiencing is trying to exhaust system resources by 
> opening a large number of connections, then you may want to toggle these 
> options in sshd_config:
> ClientAliveInterval
> LoginGraceTime
> MaxAuthTries
> MaxSessions
> MaxStartups
> Check the man-page. Secondly, check your logs if this attack is from a 
> limited range of IPs, if so, you might want to try block those ranges.
> If your users will only connect from your country, then blocking other 
> countries in your firewall is very effective.

Thanks to everyone for their help.

I did have MaxSessions set to a small number, but that essentially DoS'd my 
access to the server when enough sshd processes got hung.

sshguard+ipfw was blocking a large number of attacks, but the other attacks 
that were coming in and hanging sshd weren't getting caught (because they 
weren't repetitive.)

I have moved some of my servers to alternate ports, and on the others I 
tweaked some of the settings Erik suggested which has helped a lot.

Thanks for all the advice.


More information about the freebsd-questions mailing list