[Info-vax] SSH on VAX - performance impact of break in attempts

[Richard Whalen]

Since you are using MultiNet V5.3 have you configured the Intrusion 
Prevention System (FILTER_SERVER)?
When properly configured this will install filters that will quickly prevent 
the IP addresses that are attempting break in attempts from ever getting to 
SSH.

I'm not sure what the SSH code is doing after each attempt, but the memory 
deallocation routines fill the space with a specific pattern and the code 
deallocates all dynamically allocated data structures as part of its 
run-down process. 20 seconds seems like a lot of time for filling 
deallocated data structures, so I suspect that there is something else going 
on as well.

"urbancamo" <mark at wickensonline.co.uk> wrote in message 
news:30bb3a36-2c46-4041-bf98-2f2d0329ffa7 at x21g2000yqa.googlegroups.com...
> Good morning,
>
> I have a VAX running Multinet V5.3 under a hobbyist license which has
> an SSH server running to allow access for selected remote users. I've
> been experiencing a number of break in attempts lately, generally
> lasting for several hours each. Each attempt causes the SSH server to
> utilise 100% CPU for about 20 seconds (on a VAXstation 4000/90) - this
> is having a negative impact for users on overall system performance. I
> am using the SSH2 server.
>
> I have attempted a number of strategies to reduce this impact:
>
> 1. I have defined an AllowUsers list so only named users are allowed.
> 2. I have set AuthInteractiveFailureTimeout to 30 so that there is a
> 30 second delay between login attempts from the same host/session.
> 3. I have set RequiredAuthentications to publickey,password so that
> both a password and a valid public key are required.
>
> Unfortunately none of these strategies reduce the length of 100% CPU
> utilisation for failed login attempts.
>
> If anyone has any suggestions that would be great.
>
> Many thanks, Mark.