[Info-vax] SSH on VAX - performance impact of break in attempts
Mike Rechtman
mike at rechtman.com
Wed Aug 25 11:18:38 EDT 2010
On 25/08/10 08:53, urbancamo wrote:
> Good morning,
>
> I have a VAX running Multinet V5.3 under a hobbyist license which has
> an SSH server running to allow access for selected remote users. I've
> been experiencing a number of break in attempts lately, generally
> lasting for several hours each. Each attempt causes the SSH server to
> utilise 100% CPU for about 20 seconds (on a VAXstation 4000/90) - this
> is having a negative impact for users on overall system performance. I
> am using the SSH2 server.
>
> I have attempted a number of strategies to reduce this impact:
>
> 1. I have defined an AllowUsers list so only named users are allowed.
> 2. I have set AuthInteractiveFailureTimeout to 30 so that there is a
> 30 second delay between login attempts from the same host/session.
> 3. I have set RequiredAuthentications to publickey,password so that
> both a password and a valid public key are required.
>
> Unfortunately none of these strategies reduce the length of 100% CPU
> utilisation for failed login attempts.
>
> If anyone has any suggestions that would be great.
>
2.config> Many thanks, Mark.
I have OpenVMS 8.3, with TCPIP V5.6
Besides setting up AllowHosts and AllowUsers in SSHD2.config, I setup the
following in TCPIP$SSH_HOME:LOGIN.COM :
<start code>
$! login.com for HP TCP/IP Services for OpenVMS auxiliary service
$!
$ set verify
$ on error then goto finish
$! Get the address of where they are coming from.
$!
$ sysrem_node = "''f$trnlnm("SYS$REM_NODE")'" - "::"
$ sysrem_node = f$edit( sysrem_node,"UPCASE,COLLAPSE" )
$ deny_file = "TCPIP$SSH_HOME:deny.ssh;"
$!
$ set noon
$!
$ show symbol sysrem_node
$! If we're local just go through:
$ if f$extract(0,3,sysrem_node) .eqs. "10." then exit
$ if (sysrem_node .eqs. "212.117.136.27") then exit
$ write SYS$OUTPUT "sysrem_node .eqs. ''sysrem_node'"
$!
$ set noon
$ search/nooutput 'deny_file' "/''sysrem_node'/"
$ st = $STATUS
$ if ( st .eq. 1 ) then goto finish
$!
$! Let's check to see if we have seen this IP in the past 24 hours
$!
$! set noverify so that the actual search command is not in the log
$ set noverify
$ search TCPIP$SSH_RUN.LOG;* SYSREM_NODE,write,'sysrem_node' /match=AND -
/stat/since=yesterday/nooutput
$!
$ set verify
$!
$! From OpenVMS V8.3, use SEARCH symbols
$ number_of_times = f$integer(SEARCH$RECORDS_MATCHED)
$!
$ wait_time = "00:00:00"
$!
$! If we have seen this IP in the past day then make them
$! wait 10 seconds for every try we have.
$!
$ if number_of_times .gt. 0
$ then
$ show symb number_of_times
$! if ( number_of_times .ge. 2 )
$! then
$! set noon
$! search/nooutput 'deny_file' "/''sysrem_node'/"
$! st = $STATUS
$! if ( st .eq. 1 ) then goto finish
$! endif
$! if number_of_times .gt. 6 then goto finish
$ seconds = number_of_times * 10
$ wait_time = f$fao("00:00:!2ZB",seconds)
$ if seconds .gt. 40
$ then
$ wait_time = "00:01:00"
$ s = "SSH from ''sysrem_node' - " + -
" waited ''wait_time' after ''number_of_times' tries"
$ show symb s
$ ! mail NLA0: rechtman/subject="''s'"
$ close/nolog rec
$ open/append rec 'deny_file'
$ write rec "/''sysrem_node'/"
$ close/nolog rec
$ endif
$!
$ write SYS$OUTPUT "Waiting ''wait_time'"
$ wait 'wait_time'
$!
$!
$ endif
$ set noverif
$ exit
$!
$ finish: logout
$!
<end code>
That way, I have my own blacklist in deny.ssh, which quickly dumps attempts from
frequent tryers.
Catches anywhere between ten and a few hundred every day
--
Mike R.
Home: http://alpha.mike-r.com/
QOTD: http://alpha.mike-r.com/php/qotd.php
No Micro$oft products were used in the URLs above, or in preparing this message.
Recommended reading: http://www.catb.org/~esr/faqs/smart-questions.html#before
More information about the Info-vax
mailing list