[Info-vax] SSH on VAX - performance impact of break in attempts
Bob Gezelter
gezelter at rlgsc.com
Wed Aug 25 06:48:16 EDT 2010
On Aug 25, 12:53 am, urbancamo <m... at wickensonline.co.uk> wrote:
> Good morning,
>
> I have a VAX running Multinet V5.3 under a hobbyist license which has
> an SSH server running to allow access for selected remote users. I've
> been experiencing a number of break in attempts lately, generally
> lasting for several hours each. Each attempt causes the SSH server to
> utilise 100% CPU for about 20 seconds (on a VAXstation 4000/90) - this
> is having a negative impact for users on overall system performance. I
> am using the SSH2 server.
>
> I have attempted a number of strategies to reduce this impact:
>
> 1. I have defined an AllowUsers list so only named users are allowed.
> 2. I have set AuthInteractiveFailureTimeout to 30 so that there is a
> 30 second delay between login attempts from the same host/session.
> 3. I have set RequiredAuthentications to publickey,password so that
> both a password and a valid public key are required.
>
> Unfortunately none of these strategies reduce the length of 100% CPU
> utilisation for failed login attempts.
>
> If anyone has any suggestions that would be great.
>
> Many thanks, Mark.
Mark,
I would try to use a LAN analysis package to capture some of the
attack. While moving SSH to a different port thwarts some attacks, it
merely covers the symptom. Working for knowledge of what the actual
attack is would be far more useful. For LAN analysis, I suggest that
you take a look at Wireshark. One could probably also use the tracing
tools included with TCPIP.
- Bob Gezelter, http://www.rlgsc.com
More information about the Info-vax
mailing list