SSH DOS?

Matthew Carpenter matt
Mon May 17 11:50:59 PDT 2004 

I am monitoring SSH from an OpenNMS box and two of my systems, both SuSE8.2pro boxen, are registering outages on SSH.  Normally I'd blame either the network or the NMS system (little puny box can hardly keep up) but sure enough, they were indeed DOS'd.  The TCP connection was established and then it drops.  There appear to be quite a few sshd sessions open and not closed, which I am wondering about.  I know that the SSH poller doesn't establish a full SSH session but it shouldn't be able to cause a DOS...

aiu1411 at gandalf:~> ps ax |grep ssh
 1956 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 2693 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 3224 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 3612 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 3700 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 3849 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 3962 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 4020 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 4024 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 4987 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6476 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6504 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6537 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6539 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6568 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6593 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6636 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6644 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6652 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6716 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
 6722 ?        S      0:00 /usr/sbin/sshd -o PidFile /var/run/sshd.init.pid
11675 pts/2    S      0:00 ssh support at 192.168.72.251
13614 pts/1    S      0:00 grep ssh
aiu1411 at gandalf:~>

Any thoughts?
openssh-3.5p1-68



-- 
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
*Network Consulting, Integration & Support
*Web Development and E-Business

More information about the Linux-users mailing list