[Info-vax] SSH on VAX - performance impact of break in attempts
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Wed Aug 25 07:55:33 EDT 2010
In article <c764d350-a9b5-40f2-83ff-d9fb637d0183 at x42g2000yqx.googlegroups.com>, Bob Gezelter <gezelter at rlgsc.com> writes:
>On Aug 25, 12:53=A0am, urbancamo <m... at wickensonline.co.uk> wrote:
>> Good morning,
>>
>> I have a VAX running Multinet V5.3 under a hobbyist license which has
>> an SSH server running to allow access for selected remote users. I've
>> been experiencing a number of break in attempts lately, generally
>> lasting for several hours each. Each attempt causes the SSH server to
>> utilise 100% CPU for about 20 seconds (on a VAXstation 4000/90) - this
>> is having a negative impact for users on overall system performance. I
>> am using the SSH2 server.
>>
>> I have attempted a number of strategies to reduce this impact:
>>
>> 1. I have defined an AllowUsers list so only named users are allowed.
>> 2. I have set AuthInteractiveFailureTimeout to 30 so that there is a
>> 30 second delay between login attempts from the same host/session.
>> 3. I have set RequiredAuthentications to publickey,password so that
>> both a password and a valid public key are required.
>>
>> Unfortunately none of these strategies reduce the length of 100% CPU
>> utilisation for failed login attempts.
>>
>> If anyone has any suggestions that would be great.
>>
>> Many thanks, Mark.
>
>Mark,
>
>I would try to use a LAN analysis package to capture some of the
>attack. While moving SSH to a different port thwarts some attacks, it
>merely covers the symptom. Working for knowledge of what the actual
>attack is would be far more useful. For LAN analysis, I suggest that
>you take a look at Wireshark. One could probably also use the tracing
>tools included with TCPIP.
Bob,
Typically, then it's not a port scanner that's triggered the server, it's
a brute-force password attack. I'll get these against 'ftp' as well using
'administrator' as the username and running dictionaries for the passwords.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.
More information about the Info-vax
mailing list