[Info-vax] SSH on VAX - performance impact of break in attempts

[Jeremy Begg]

Hi Mark,

I can recommend from personal experience both of the following solutions:

1.  Change the incoming port to something other than 22.  This almost always 
prevents your system being targetted by the bots.  (I typically add another 
three digits to the port number.)

2.  If using a port other than 22 is impractical, implement the MultiNet 
Intrustion Prevention System.  It's very good - and it will protect other 
services such as FTP, TELNET and the three main email protocols (SMTP, IMAP 
and POP).  If you get keen and don't mind writing some code, you can 
potentially use it for any TCP service.

I did a write-up of MultiNet IPS in the OpenVMS Technical Journal V13
http://h71000.www7.hp.com/openvms/journal/v13/index.html

Just a word of advice: make sure you install the latest FILTER_SERVER patch 
kit for MultiNet.

Regards,

	Jeremy Begg

> I have a VAX running Multinet V5.3 under a hobbyist license which has
> an SSH server running to allow access for selected remote users. I've
> been experiencing a number of break in attempts lately, generally
> lasting for several hours each. Each attempt causes the SSH server to
> utilise 100% CPU for about 20 seconds (on a VAXstation 4000/90) - this
> is having a negative impact for users on overall system performance. I
> am using the SSH2 server.
> 
> I have attempted a number of strategies to reduce this impact:
> 
> 1. I have defined an AllowUsers list so only named users are allowed.
> 2. I have set AuthInteractiveFailureTimeout to 30 so that there is a
> 30 second delay between login attempts from the same host/session.
> 3. I have set RequiredAuthentications to publickey,password so that
> both a password and a valid public key are required.
> 
> Unfortunately none of these strategies reduce the length of 100% CPU
> utilisation for failed login attempts.
> 
> If anyone has any suggestions that would be great.
> 
> Many thanks, Mark.