ssh under attack - sessions in accepted state hogging CPU
Matt Emmerton
matt at gsicomp.on.ca
Wed Aug 11 16:51:16 UTC 2010
> On 10/08/10 05.13, Matt Emmerton wrote:
>
>> I'm in the middle of dealing with a SSH brute force attack that is
>> relentless. I'm working on getting sshguard+ipfw in place to deal with
>> it,
>> but in the meantime, my box is getting pegged because sshd is accepting
>> some
>> connections which are getting stuck in [accepted] state and eating CPU.
>>
>> I know there's not much I can do about the brute force attacks, but will
>> upgrading openssh avoid these stuck connections?
>
> If the attack you're experiencing is trying to exhaust system resources by
> opening a large number of connections, then you may want to toggle these
> options in sshd_config:
>
> ClientAliveInterval
> LoginGraceTime
> MaxAuthTries
> MaxSessions
> MaxStartups
>
> Check the man-page. Secondly, check your logs if this attack is from a
> limited range of IPs, if so, you might want to try block those ranges.
>
> If your users will only connect from your country, then blocking other
> countries in your firewall is very effective.
Thanks to everyone for their help.
I did have MaxSessions set to a small number, but that essentially DoS'd my
access to the server when enough sshd processes got hung.
sshguard+ipfw was blocking a large number of attacks, but the other attacks
that were coming in and hanging sshd weren't getting caught (because they
weren't repetitive.)
I have moved some of my servers to alternate ports, and on the others I
tweaked some of the settings Erik suggested which has helped a lot.
Thanks for all the advice.
--
Matt
More information about the freebsd-questions
mailing list