Date: Tue, 10 Aug 2010 18:40:59 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@freebsd.org Subject: Re: ssh under attack - sessions in accepted state hogging CPU Message-ID: <4C61811B.7070703@locolomo.org> In-Reply-To: <ED433058084C4B0FAE9C516075BF0440@hermes> References: <ED433058084C4B0FAE9C516075BF0440@hermes>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/08/10 05.13, Matt Emmerton wrote: > I'm in the middle of dealing with a SSH brute force attack that is > relentless. I'm working on getting sshguard+ipfw in place to deal with it, > but in the meantime, my box is getting pegged because sshd is accepting some > connections which are getting stuck in [accepted] state and eating CPU. > > I know there's not much I can do about the brute force attacks, but will > upgrading openssh avoid these stuck connections? If the attack you're experiencing is trying to exhaust system resources by opening a large number of connections, then you may want to toggle these options in sshd_config: ClientAliveInterval LoginGraceTime MaxAuthTries MaxSessions MaxStartups Check the man-page. Secondly, check your logs if this attack is from a limited range of IPs, if so, you might want to try block those ranges. If your users will only connect from your country, then blocking other countries in your firewall is very effective. BR, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C61811B.7070703>