Re: Growing sshd process count

To: netbsd-users%netbsd.org@localhost
Subject: Re: Growing sshd process count
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Fri, 7 Oct 2022 14:14:09 -0000 (UTC)

mayuresh%acm.org@localhost (Mayuresh) writes:

>On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many
>ssh processes - 49 to be precise.

>I have blacklistd enabled and approximately in every 2 to 3 minutes a new
>IP address is getting blocked.

>Using console access I stopped ssh service, killed sshd processes and
>restarted. As of writing this the count of sshd processes is 10 again,
>when only 2 ssh sessions are shown in `who'.

>What explains the count of these processes and what precautions shall I be
>taking?

Someone is brute-forcing your account passwords.

Easiest counter-measure is to use a different port for ssh. So far these
attacks go to the standard port (22).

You can also restrict access to known IPs, either by configuring sshd
(for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a
permanent IP filter to block access and cloud providers world-wide.

Follow-Ups:
- Re: Growing sshd process count
  - From: Mayuresh
- Re: Growing sshd process count
  - From: Steffen Nurpmeso

References:
- Growing sshd process count
  - From: Mayuresh

Prev by Date: Re: Growing sshd process count
Next by Date: Re: Growing sshd process count
Previous by Thread: Re: Growing sshd process count
Next by Thread: Re: Growing sshd process count
Indexes:

Home | Main Index | Thread Index | Old Index