Re: Growing sshd process count
On Sun, Oct 09, 2022 at 08:28:04AM +0200, Martin Husemann wrote: > first and obvious thing you should make sure is that sshd is configured > to not accept any kind of password based authentication Absolutely. It's like that already. Besides that, there is blacklistd. -- Mayuresh
Re: Growing sshd process count
On Sat, Oct 08, 2022 at 09:40:48AM +0200, Michael van Elst wrote: > No idea what kind of protection Hetzner is offering. But such attacks > rarely qualify as DDOS, it's usually a single bot that does rapid login > attempts. Sometimes you have several concurrent independent attacks. I have not followed closely, but wanted to note that of cours the first and obvious thing you should make sure is that sshd is configured to not accept any kind of password based authentication (unless you really need them, which is hard to imagine). If you do not need PAM authentication, set this in /etc/ssh/sshd_config: PasswordAuthentication no UsePAM no If you need PAM, you also have to disable passwords for sshd at the PAM level. Martin
Re: Growing sshd process count
On Fri, Oct 7, 2022 at 7:22 PM Mayuresh wrote: > > On Fri, Oct 07, 2022 at 02:14:09PM -, Michael van Elst wrote: > > Someone is brute-forcing your account passwords. > > Thanks. I think blacklistd is protecting me. > > But doesn't this qualify as a DDOS attack? The VPS provider (Hetzner) > claims to provide DDOS protection. Shouldn't it have triggered in this > scenario? Probably not. The point of that attack is probably to break into your system, not deny others from accessing it. But maybe they accomplish the second thing if they can't break in. Andy
Re: Growing sshd process count
On Sat, Oct 08, 2022 at 07:51:48AM +0530, Mayuresh wrote: > On Fri, Oct 07, 2022 at 02:14:09PM -, Michael van Elst wrote: > > Someone is brute-forcing your account passwords. > > Thanks. I think blacklistd is protecting me. > > But doesn't this qualify as a DDOS attack? The VPS provider (Hetzner) > claims to provide DDOS protection. Shouldn't it have triggered in this > scenario? No idea what kind of protection Hetzner is offering. But such attacks rarely qualify as DDOS, it's usually a single bot that does rapid login attempts. Sometimes you have several concurrent independent attacks. If you have a slow machine, blacklistd might not be sufficient. The login attempt times out before sshd can check the password and trigger the blacklist entry. Greetings, -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: Growing sshd process count
On Fri, Oct 07, 2022 at 02:14:09PM -, Michael van Elst wrote: > Someone is brute-forcing your account passwords. Thanks. I think blacklistd is protecting me. But doesn't this qualify as a DDOS attack? The VPS provider (Hetzner) claims to provide DDOS protection. Shouldn't it have triggered in this scenario? BTW at the time of writing this, the thing has subsided. -- Mayuresh
Re: Growing sshd process count
Michael van Elst wrote in
:
|mayur...@acm.org (Mayuresh) writes:
|
|>On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many
|>ssh processes - 49 to be precise.
|
|>I have blacklistd enabled and approximately in every 2 to 3 minutes a new
|>IP address is getting blocked.
|
|>Using console access I stopped ssh service, killed sshd processes and
|>restarted. As of writing this the count of sshd processes is 10 again,
|>when only 2 ssh sessions are shown in `who'.
|
|>What explains the count of these processes and what precautions shall I be
|>taking?
|
|Someone is brute-forcing your account passwords.
|
|Easiest counter-measure is to use a different port for ssh. So far these
|attacks go to the standard port (22).
Yes. It will be found someday, but i found it will take time.
|You can also restrict access to known IPs, either by configuring sshd
|(for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a
|permanent IP filter to block access and cloud providers world-wide.
I have a firewall rule
change_chain i_sshorvpn # {{{
add_rule -m recent --name sshorvpn --rcheck --seconds XXX --reap \
--hitcount "${FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT}" \
-m recent --name alien_super --set \
-j DROP
add_rule -m limit --limit 1/m --limit-burst 3 -j LOG --log-prefix "SSH/VPN "
add_rule -m recent --name sshorvpn --set -j f_m1
where FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT=10, but that is now, it
was 3 in the past. alien_super entries are denied further access
for many hours. But mind you, there _are_ smart attackers which
really find out the --seconds over months!! I have a port knocker
# port_knock: input only server
if [ -n "${SERVER}" ] && fwcore_has_i port_knock; then
: ${FWCORE_PORT_KNOCK:?\
port_knock in FWCORE_IPROTOS needs FWCORE_PORT_KNOCK}
if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
add_rule -p udp --dport ${port} \
-m recent --name port_knock --set \
-m recent --name port_knock --rcheck --seconds 60 --reap \
--hitcount 2 \
-m recent --name alien_super --set -j DROP
add_rule -p udp --dport ${port} -j f_m1
fi
fi
It performs a white-listing (ie red, yellow, allow) operation.
Just in case i bang the above, which i somewhat regular did with
ssh, even though i was using ControlMaster.
I am now using a WireGuard VPN regardless of its developer :-)),
and ssh only sits in the VPN on its regular port.
WireGuard now solely uses the above sshorvpn rule, but since it
bypasses the firewall once a connection stands, i never locked
myself out. (Yes i did, but only because i was too quick.)
I have only 22 alien_super entries at the moment, whereas in
earlier times we were always at the maximum of 250. (WG listens
on strange ports.)
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Re: Growing sshd process count
mayur...@acm.org (Mayuresh) writes: >On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many >ssh processes - 49 to be precise. >I have blacklistd enabled and approximately in every 2 to 3 minutes a new >IP address is getting blocked. >Using console access I stopped ssh service, killed sshd processes and >restarted. As of writing this the count of sshd processes is 10 again, >when only 2 ssh sessions are shown in `who'. >What explains the count of these processes and what precautions shall I be >taking? Someone is brute-forcing your account passwords. Easiest counter-measure is to use a different port for ssh. So far these attacks go to the standard port (22). You can also restrict access to known IPs, either by configuring sshd (for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a permanent IP filter to block access and cloud providers world-wide.
Re: Growing sshd process count
On Fri, Oct 07, 2022 at 07:09:51PM +0530, Mayuresh wrote: > What explains the count of these processes and what precautions shall I be > taking? A related question. In ps I see a field such as [accepted] [net] [priv]. What is their meaning / where can I find their documentation? -- Mayuresh
Growing sshd process count
On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many ssh processes - 49 to be precise. I have blacklistd enabled and approximately in every 2 to 3 minutes a new IP address is getting blocked. Using console access I stopped ssh service, killed sshd processes and restarted. As of writing this the count of sshd processes is 10 again, when only 2 ssh sessions are shown in `who'. What explains the count of these processes and what precautions shall I be taking? -- Mayuresh
