Re: ssh under attack - sessions in accepted state hogging CPU

[Rocky Borg]

One thing I don't see mentioned a lot is port knocking. It's not perfect 
but it does have it's uses.

Since it sounds like you have a lot of users that need to connect you 
might be able to adapt it to your situation. I haven't tried this 
specific port knocking sequence but you could setup a knock where if a 
user attempts to connect to port 22 say 3 times (most clients should 
auto retry) it then opens up port 22 to that ip and allows them to 
connect to sshd. This would depend on the type of brute force being 
done. A distributed botnet might only try an ip/port once or twice then 
move on. This would be pretty seemless to the end user except for an 
initial delay when connecting as their client retries the connection 
until the specific knock threshold has been hit. It's a middle ground to 
changing the port sshd is operating on. You can do this with firewall 
rules or http://www.freshports.org/security/knock/. A lot of  SSH 
attacks are coming from large numbers of compromised hosts that make 
them very hard to stop with sshguard which is pretty annoying.

On 8/9/2010 8:13 PM, Matt Emmerton wrote:
Hi all,

I'm in the middle of dealing with a SSH brute force attack that is 
relentless.  I'm working on getting sshguard+ipfw in place to deal 
with it, but in the meantime, my box is getting pegged because sshd is 
accepting some connections which are getting stuck in [accepted] state 
and eating CPU.

I know there's not much I can do about the brute force attacks, but 
will upgrading openssh avoid these stuck connections?

root     39127 35.2  0.1  6724  3036  ??  Rs   11:10PM   0:37.91 sshd: 
[accepted] (sshd)
root     39368 33.6  0.1  6724  3036  ??  Rs   11:10PM   0:22.99 sshd: 
[accepted] (sshd)
root     39138 33.1  0.1  6724  3036  ??  Rs   11:10PM   0:41.94 sshd: 
[accepted] (sshd)
root     39137 32.5  0.1  6724  3036  ??  Rs   11:10PM   0:36.56 sshd: 
[accepted] (sshd)
root     39135 31.0  0.1  6724  3036  ??  Rs   11:10PM   0:35.09 sshd: 
[accepted] (sshd)
root     39366 30.9  0.1  6724  3036  ??  Rs   11:10PM   0:23.01 sshd: 
[accepted] (sshd)
root     39132 30.8  0.1  6724  3036  ??  Rs   11:10PM   0:35.21 sshd: 
[accepted] (sshd)
root     39131 30.7  0.1  6724  3036  ??  Rs   11:10PM   0:38.07 sshd: 
[accepted] (sshd)
root     39134 30.2  0.1  6724  3036  ??  Rs   11:10PM   0:40.96 sshd: 
[accepted] (sshd)
root     39367 29.3  0.1  6724  3036  ??  Rs   11:10PM   0:22.08 sshd: 
[accepted] (sshd)

 PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU 
COMMAND
39597 root             1 103    0  6724K  3036K RUN     3   0:28 
35.06% sshd
39599 root             1 103    0  6724K  3036K RUN     0   0:26 
34.96% sshd
39596 root             1 103    0  6724K  3036K RUN     0   0:27 
34.77% sshd
39579 root             1 103    0  6724K  3036K CPU3    3   0:28 
33.69% sshd
39592 root             1 102    0  6724K  3036K RUN     2   0:27 
32.18% sshd
39591 root             1 102    0  6724K  3036K CPU2    2   0:27 
31.88% sshd

--
Matt Emmerton
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"freebsd-questions-unsubscr...@freebsd.org"



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"