I'm new to these forums, but have been using linux for several month, lately I have been having issues where sshd loads many processes, all using around 50-100 CPU. These cause the load averages to spike at over 5.00 at times. Which totally bogs the server down.
My only real presumption is, that it is some sort of attack, as at the exact same time there are minor bandwidth spikes (only around 40K bits of traffic extra per second)
htop says the exact process names are:
(command) sshd: root [net]
There is also usually an equal (or near) amount of sshd: root [priv] - Though these are usually not using the CPU, its almost always the [net] instances that are.
Lately, there has also been many: sshd: unknown [net] / [priv]
Any ideas how to prevent this? Would anything overly bad occur if I limited the 'sshd' user to say, 2 processes? Should that user even exist? As I always thought that sshd sessions opened up with the user as the username of the person who had logged into SSH? (I.E if the user Paul logged in, the user would come up as 'Paul')
Linux distro is Debian 5, by the way.
Welcome to the forums!
If you are running sshd on it's default configuration, you'll find it's a prime target for scripted attacks. If this is caused by scripted attacks, I couldn't say, but it's the first thing that came in mind.
You can check these commands (as root):
Post here if one of these gives cause for concern.
last # Descending list of who logged in to your system
lastb # List of failed login attempts (the 'b' is for 'bad')
Other logs may give more detail, such as:
cat /var/log/messages|grep -i ssh
A very good idea, regardless of what's causing these processes to run wild, is to change the default port (22) to a higher unprivileged port (any port above 1024 will do). This wont stop a dedicated blackhat getting into your box, but most attacks are just scripted and these just target port 22 and nothing else.
Also disallow root logins. You can still ssh into your box and su to root if need be, but not ssh into the box as root directly. The majority of ssh attacks try to brute force the root password. Nice... innit?
Finally, nobody uses protocol 1 anymore, except perhaps a few legacy systems. You can check if it is disabled.
So in short, add or edit these lines in /etc/ssh/sshd_conf
And restart sshd. These measures should stop 99.99999% of all break in attempts.
Don't forget to update the port forwarding settings on your router, if applicable.
Hi, thanks for the reply.
Changing the port fixed it. However, after reading your post, i've also disabled direct root access to the server, and the other servers i run. Thanks a lot :)