mayur...@acm.org (Mayuresh) writes: >On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many >ssh processes - 49 to be precise.
>I have blacklistd enabled and approximately in every 2 to 3 minutes a new >IP address is getting blocked. >Using console access I stopped ssh service, killed sshd processes and >restarted. As of writing this the count of sshd processes is 10 again, >when only 2 ssh sessions are shown in `who'. >What explains the count of these processes and what precautions shall I be >taking? Someone is brute-forcing your account passwords. Easiest counter-measure is to use a different port for ssh. So far these attacks go to the standard port (22). You can also restrict access to known IPs, either by configuring sshd (for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a permanent IP filter to block access and cloud providers world-wide.
