Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Other Options?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Other Options?
Authored by: lullabud on Aug 19, '05 01:04:18PM

I have a 867mhz laptop, so when people are hacking at the door of my sshd it really grinds my CPU, leading to heat and eventually the fan turning on, leading to me having to disable sshd for some amount of time to stop the attack. There has got to be a better way...

Ideally, I'd like a way to either lock out connections from a certain IP# that fails too many times so that sshd simply drops all packets from that IP#. Another option would be to add an incremental delay period for each failed login...

Speaking of delays, is there a way to add a delay to the authentication process? I'm assuming the CPU consumption is caused by the mathematics behind the encryption. A delay in the authentication would keep the CPU usage down, as well as just make it longer for the perp to get the work done and this might be a simpler process than other options.

I'm also open to more active ways of slowing down or denying these attacks while leaving sshd enabled.

[ Reply to This | # ]
Other Options?
Authored by: derekhed on Aug 19, '05 01:19:11PM

I have not tried this personally, but you could look into changing your MaxStartups value in the sshd_config file on your machine. Do a 'man sshd_config' and look for that parameter.

[ Reply to This | # ]
What process is signaling this?
Authored by: hamarkus on Aug 19, '05 02:44:41PM

Which process is doing the ssh stuff? In other words, how do I see it when people are pounching at my door? I often have the processes 'sh', 'pmTool', 'kerneltask' taking up a lot of cycles (10% to 20%), I attribute some of these to Matlab, which might use these processes, or VirtualPC as well.

[ Reply to This | # ]
Monitoring and Delays
Authored by: lullabud on Aug 19, '05 03:06:13PM

I've actually never paid attention to what process is doing the authentication, and frankly I'm not too sure about OS X's `top` binary, but I keep an eye on my network meter for systematic looking patterns and my CPU meter for consistent CPU usage when my system should be idling. If something looks fishy I `tail -f /var/log/system.log`. (That's also handy when used with /var/log/httpd/access_log when people are hacking your webserver.)

Also, while testing to see which process would be hogging the CPU, I noticed this in the system log:

Failed Authentication return is being delayed due to over five recent auth failures for username: foo.

I wonder if there's a variable I can change to lengthen that delay....

[ Reply to This | # ]
What process is signaling this?
Authored by: vykor on Aug 19, '05 05:22:07PM

For every ssh connection, there should be a correspondingly forked sshd instance to handle it. So the list in top or ps, look for the sshd instances.

[ Reply to This | # ]
Other Options? DenyHosts
Authored by: vortmax on Aug 19, '05 06:18:56PM

This a python sccript that you can cron as root. It checks the access logs and for those hits from script kiddies, it will add to the /etc/hosts.deny file the offending IP.

Careful if you fail your own login passwordd. You could deny your valid ip.


[ Reply to This | # ]