Bug#559869: openssh-server looses connectivity on high load after upgrade
Package: openssh-server
Version: 1:5.1p1-5
OS: Debian Lenny x86_64
Problem:
SSH Servers are permanently attacked by brute-force attackers. This obviously doesn't harm
our security, as we are using only dsa key authentication. sshd_config is only altered in
one line: PasswordAuthentication No . All other content in sshd_config is left as suggested
by the package maintainer.
I've recently noticed the ssh service on some 40 servers are giving "Invalid Service Response"
to our heartbeat monitor. This error is given, if a TCP Handshake is successful but closed without
any protocol handshake. After a few 10 minutes, the ssh service recovers back to normal.
After looking further, I've noticed this behavior on aggressive brute-force. Adding a fail2ban
on ssh did not really solve this issue.
Monitoring some switches, I've noticed the attacker was walking through some of our subnets, also
attacking machines running similar setup, but with RHEL5, Centos4, Solaris9 + 10. The only ssh services
which went down during attack were running on Debian Lenny x86_64.
Mit freundlichen Gruessen
--
Stephan Seitz
Senior System Administrator
*netz-haut* e.K.
multimediale kommunikation
zweierweg 22
97074 würzburg
fon: +49 931 2876247
fax: +49 931 2876248
web: http://www.netz-haut.de/
registergericht: amtsgericht würzburg, hra 5054
Reply to: