From owner-freebsd-questions@FreeBSD.ORG Tue Aug 10 03:30:57 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 535951065670 for ; Tue, 10 Aug 2010 03:30:57 +0000 (UTC) (envelope-from matt@gsicomp.on.ca) Received: from gsicomp.on.ca (gsicomp.on.ca [200.46.208.251]) by mx1.freebsd.org (Postfix) with ESMTP id 1EC8F8FC14 for ; Tue, 10 Aug 2010 03:30:56 +0000 (UTC) Received: from maia.hub.org (maia-3.hub.org [200.46.204.243]) by gsicomp.on.ca (Postfix) with ESMTP id 75F72FD0927 for ; Tue, 10 Aug 2010 03:13:49 +0000 (UTC) Received: from gsicomp.on.ca ([200.46.208.251]) by maia.hub.org (mx1.hub.org [200.46.204.243]) (amavisd-maia, port 10024) with ESMTP id 93748-09 for ; Tue, 10 Aug 2010 03:13:49 +0000 (UTC) Received: from hermes (CPE002129cfd480-CM001ac3584898.cpe.net.cable.rogers.com [99.236.129.198]) by gsicomp.on.ca (Postfix) with SMTP id EA7A9FCD102 for ; Tue, 10 Aug 2010 03:13:48 +0000 (UTC) Message-ID: From: "Matt Emmerton" To: Date: Mon, 9 Aug 2010 23:13:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931 Cc: Subject: ssh under attack - sessions in accepted state hogging CPU X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 03:30:57 -0000 Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 39597 root 1 103 0 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 103 0 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 103 0 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 103 0 6724K 3036K CPU3 3 0:28 33.69% sshd 39592 root 1 102 0 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 102 0 6724K 3036K CPU2 2 0:27 31.88% sshd -- Matt Emmerton