Diary of a geek

January 2005
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Friday, 14 January 2005

SSH daemon weirdness

This Saturday and last Saturday, Nagios has told me that it couldn't ssh to daedalus, my server in Brisbane. I figured out last weekend that what seems to be happening is the SSH daemon is getting filled up by connections to its MaxStartups limit (which is 10 by default in the Debian ssh package). The Debian default value for LoginGraceTime (which is how long to hold an unauthenticated connection open for) is 10 minutes.

So you can make a good DoS attack on a default Debian SSH daemon by just doing something like:

while :
	nc $VICTIM 22 &

So I decided to file #289573. Lowering LoginGraceTime won't really resolve the problem, but it'll shorten the length of the DoS (hopefully).

My initial suspicion is that it's related to those brute force SSH login attempts that have been running around for months, however, I had a brief look into today's DoS, and whilst there were the 10 or so unauthenticated sshd's lingering around tying things up, there weren't any actual TCP connections associated with them, so I'm now wondering if there's a bug in OpenSSH that is being tickled by all this...

The fact that it only seems to be an issue on Saturdays makes me suspect script kiddies...

[19:07] [tech] [permalink]