From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 16:51:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6399E106567C for ; Wed, 11 Aug 2010 16:51:16 +0000 (UTC) (envelope-from matt@gsicomp.on.ca) Received: from gsicomp.on.ca (gsicomp.on.ca [200.46.208.251]) by mx1.freebsd.org (Postfix) with ESMTP id 2D4528FC0A for ; Wed, 11 Aug 2010 16:51:15 +0000 (UTC) Received: from maia.hub.org (maia-2.hub.org [200.46.204.251]) by gsicomp.on.ca (Postfix) with ESMTP id BBBA4FCA837; Wed, 11 Aug 2010 16:51:14 +0000 (UTC) Received: from gsicomp.on.ca ([200.46.208.251]) by maia.hub.org (mx1.hub.org [200.46.204.251]) (amavisd-maia, port 10024) with ESMTP id 54836-06; Wed, 11 Aug 2010 16:51:14 +0000 (UTC) Received: from hermes (CPE002129cfd480-CM001ac3584898.cpe.net.cable.rogers.com [99.236.129.198]) by gsicomp.on.ca (Postfix) with SMTP id 227E5FCA5D2; Wed, 11 Aug 2010 16:51:14 +0000 (UTC) Message-ID: From: "Matt Emmerton" To: "Erik Norgaard" , References: <4C61811B.7070703@locolomo.org> Date: Wed, 11 Aug 2010 12:51:13 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931 Cc: Subject: Re: ssh under attack - sessions in accepted state hogging CPU X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 16:51:16 -0000 > On 10/08/10 05.13, Matt Emmerton wrote: > >> I'm in the middle of dealing with a SSH brute force attack that is >> relentless. I'm working on getting sshguard+ipfw in place to deal with >> it, >> but in the meantime, my box is getting pegged because sshd is accepting >> some >> connections which are getting stuck in [accepted] state and eating CPU. >> >> I know there's not much I can do about the brute force attacks, but will >> upgrading openssh avoid these stuck connections? > > If the attack you're experiencing is trying to exhaust system resources by > opening a large number of connections, then you may want to toggle these > options in sshd_config: > > ClientAliveInterval > LoginGraceTime > MaxAuthTries > MaxSessions > MaxStartups > > Check the man-page. Secondly, check your logs if this attack is from a > limited range of IPs, if so, you might want to try block those ranges. > > If your users will only connect from your country, then blocking other > countries in your firewall is very effective. Thanks to everyone for their help. I did have MaxSessions set to a small number, but that essentially DoS'd my access to the server when enough sshd processes got hung. sshguard+ipfw was blocking a large number of attacks, but the other attacks that were coming in and hanging sshd weren't getting caught (because they weren't repetitive.) I have moved some of my servers to alternate ports, and on the others I tweaked some of the settings Erik suggested which has helped a lot. Thanks for all the advice. -- Matt