Re: Growing sshd process count

To: (Michael van Elst) <mlelstv%serpens.de@localhost>
Subject: Re: Growing sshd process count
From: Steffen Nurpmeso <steffen%sdaoden.eu@localhost>
Date: Fri, 07 Oct 2022 20:27:34 +0200

Michael van Elst wrote in
 <thpc7g$qr7$1%serpens.de@localhost>:
 |mayuresh%acm.org@localhost (Mayuresh) writes:
 |
 |>On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many
 |>ssh processes - 49 to be precise.
 |
 |>I have blacklistd enabled and approximately in every 2 to 3 minutes a new
 |>IP address is getting blocked.
 |
 |>Using console access I stopped ssh service, killed sshd processes and
 |>restarted. As of writing this the count of sshd processes is 10 again,
 |>when only 2 ssh sessions are shown in `who'.
 |
 |>What explains the count of these processes and what precautions shall I be
 |>taking?
 |
 |Someone is brute-forcing your account passwords.
 |
 |Easiest counter-measure is to use a different port for ssh. So far these
 |attacks go to the standard port (22).

Yes.  It will be found someday, but i found it will take time.

 |You can also restrict access to known IPs, either by configuring sshd
 |(for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a
 |permanent IP filter to block access and cloud providers world-wide.

I have a firewall rule

   change_chain i_sshorvpn # {{{

   add_rule -m recent --name sshorvpn --rcheck --seconds XXX --reap \
         --hitcount "${FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT}" \
      -m recent --name alien_super --set \
      -j DROP
   add_rule -m limit --limit 1/m --limit-burst 3 -j LOG --log-prefix "SSH/VPN "
   add_rule -m recent --name sshorvpn --set -j f_m1

where FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT=10, but that is now, it
was 3 in the past.  alien_super entries are denied further access
for many hours.  But mind you, there _are_ smart attackers which
really find out the --seconds over months!!  I have a port knocker

   # port_knock: input only server
   if [ -n "${SERVER}" ] && fwcore_has_i port_knock; then
      : ${FWCORE_PORT_KNOCK:?\
port_knock in FWCORE_IPROTOS needs FWCORE_PORT_KNOCK}
      if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
         add_rule -p udp --dport ${port} \
            -m recent --name port_knock --set \
            -m recent --name port_knock --rcheck --seconds 60 --reap \
               --hitcount 2 \
            -m recent --name alien_super --set -j DROP
         add_rule -p udp --dport ${port} -j f_m1
      fi
   fi

It performs a white-listing (ie red, yellow, allow) operation.
Just in case i bang the above, which i somewhat regular did with
ssh, even though i was using ControlMaster.

I am now using a WireGuard VPN regardless of its developer :-)),
and ssh only sits in the VPN on its regular port.
WireGuard now solely uses the above sshorvpn rule, but since it
bypasses the firewall once a connection stands, i never locked
myself out.  (Yes i did, but only because i was too quick.)
I have only 22 alien_super entries at the moment, whereas in
earlier times we were always at the maximum of 250.  (WG listens
on strange ports.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

References:
- Growing sshd process count
  - From: Mayuresh
- Re: Growing sshd process count
  - From: Michael van Elst

Prev by Date: Re: Growing sshd process count
Next by Date: Re: Feed facility/priority to logger(1) via stdin - desirable extension or bad idea?
Previous by Thread: Re: Growing sshd process count
Next by Thread: Re: Growing sshd process count
Indexes:

Home | Main Index | Thread Index | Old Index