[Info-vax] runaway TCP/IP ssh server processes

[VAXman- at SendSpamHere.ORG]

In article <okfvui$9vc$2 at pcls7.std.com>, moroney at world.std.spaamtrap.com (Michael Moroney) writes:
>VAXman-  @SendSpamHere.ORG writes:
>
>>Periodically, I am finding TCPIP$SSH_xxxx server processes consuming large
>>amounts of CPU time.  These tend to bring the system to its knees.  There's
>>no doubt that it's being precipitated by some attempt to exploit ssh.  Has
>>anybody experienced this?  Any clues as to how these processes gets in this
>>state and or how to thwart it?
>
>Yes, I've seen this a lot.  Hackers (rather script kiddie scripts) 
>discover a system with SSH and start to pound on it.  One thing you can do
>is move SSH to an alternate port.  Something I did over 10 years ago is
>write software that listens to the audit server for breakin notifications
>and block the net range it's coming from (usually zombie PCs all over the
>world).

I NEVER configure ssh on 22.  It's always high up in the ephemeral port range.



>SSH processes getting wedged may be due to VMS SSH having the exploits
>the hackers are looking for, but because it's VMS, not Windoze/Linux, it 
>doesn't behave as expected.

I wish I could figure out a way to reproduce it.  I've tried limiting the CPU
time of the TCPIP$SSH account but that seems to have no affect; the processes
still consume CPU well over that limit.
 
-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.