From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 10 16:41:07 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8EA81065675
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 16:41:07 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 60EC28FC1A
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 16:41:07 +0000 (UTC)
Received: from beta.local (unknown [89.204.137.243])
	by mail.locolomo.org (Postfix) with ESMTPSA id 209841C0871
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2010 18:41:04 +0200 (CEST)
Message-ID: <4C61811B.7070703@locolomo.org>
Date: Tue, 10 Aug 2010 18:40:59 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
	rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <ED433058084C4B0FAE9C516075BF0440@hermes>
In-Reply-To: <ED433058084C4B0FAE9C516075BF0440@hermes>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: ssh under attack - sessions in accepted state hogging CPU
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 16:41:07 -0000

On 10/08/10 05.13, Matt Emmerton wrote:

> I'm in the middle of dealing with a SSH brute force attack that is
> relentless.  I'm working on getting sshguard+ipfw in place to deal with it,
> but in the meantime, my box is getting pegged because sshd is accepting some
> connections which are getting stuck in [accepted] state and eating CPU.
>
> I know there's not much I can do about the brute force attacks, but will
> upgrading openssh avoid these stuck connections?

If the attack you're experiencing is trying to exhaust system resources 
by opening a large number of connections, then you may want to toggle 
these options in sshd_config:

ClientAliveInterval
LoginGraceTime
MaxAuthTries
MaxSessions
MaxStartups

Check the man-page. Secondly, check your logs if this attack is from a 
limited range of IPs, if so, you might want to try block those ranges.

If your users will only connect from your country, then blocking other 
countries in your firewall is very effective.

BR, Erik