Bug#559869: openssh-server looses connectivity on high load after upgrade

To: <submit@bugs.debian.org>
Subject: Bug#559869: openssh-server looses connectivity on high load after upgrade
From: "netz-haut - stephan seitz" <s.seitz@netz-haut.de>
Date: Mon, 7 Dec 2009 12:37:23 +0100
Message-id: <[🔎] 6B73AB901767CA49B818C7A071E03FAC2B9430@exchange.nh.local>
Reply-to: "netz-haut - stephan seitz" <s.seitz@netz-haut.de>, 559869@bugs.debian.org

Package: openssh-server
Version: 1:5.1p1-5

OS: Debian Lenny x86_64

Problem:

SSH Servers are permanently attacked by brute-force attackers. This obviously doesn't harm
our security, as we are using only dsa key authentication. sshd_config is only altered in
one line: PasswordAuthentication No . All other content in sshd_config is left as suggested
by the package maintainer.

I've recently noticed the ssh service on some 40 servers are giving "Invalid Service Response"
to our heartbeat monitor. This error is given, if a TCP Handshake is successful but closed without
any protocol handshake. After a few 10 minutes, the ssh service recovers back to normal.
After looking further, I've noticed this behavior on aggressive brute-force. Adding a fail2ban
on ssh did not really solve this issue.
Monitoring some switches, I've noticed the attacker was walking through some of our subnets, also
attacking machines running similar setup, but with RHEL5, Centos4, Solaris9 + 10. The only ssh services
which went down during attack were running on Debian Lenny x86_64.




Mit freundlichen Gruessen

--
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: http://www.netz-haut.de/

registergericht: amtsgericht würzburg, hra 5054

Reply to:

Next by Date: Bug#560148: openssh-server - Please support multiple AuthorizedKeysFile
Next by thread: Bug#560148: openssh-server - Please support multiple AuthorizedKeysFile
Index(es):
- Date
- Thread