bugzilla-daemon at mindrot.org
2004-Oct-31 19:59 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948 Summary: high CPU in sshd after tcp_wrappers deny Product: Portable OpenSSH Version: 3.9p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: atlunde at panix.com CC: atlunde at panix.com We are using OpenSSH sshd built with the tcp_wrappers library, and rules set to deny access not coming from our local domain. Recently we have seen cases where an sshd process was left running and consuming a large amount of CPU. Looking at the logs and the time the process was started, it appears that the trigger was a denied ssh connection blocked by tcp_wrappers. (I suspect this was the password guessing attack that's been going around recently, because we've gotten few blocked ssh connections in the past, but I can't say for sure.) This was on Solaris 8, openssh-3.9p1, OpenSSL 0.9.7d, tcp_wrappers 7.6 uname -a SunOS XXXXXX 5.8 Generic_108528-18 sun4u sparc SUNW,Sun-Fire-280R ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-31 20:05 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948 ------- Additional Comments From atlunde at panix.com 2004-11-01 07:05 ------- Created an attachment (id=737) --> (http://bugzilla.mindrot.org/attachment.cgi?id=737&action=view) This is the shell script used to configure this build of openssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Nov-02 11:01 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948 ------- Additional Comments From dtucker at zip.com.au 2004-11-02 22:01 ------- The code that drops the connection is pretty simple and there's no obvious way for it to get into a loop: if (!hosts_access(&req)) { debug("Connection refused by tcp wrapper"); refuse(&req); /* NOTREACHED */ fatal("libwrap refuse returns"); } When it happens, can you run /usr/ucb/ps auxwww and pick out the pid of the errant process? It should have a few hints about what stage the process is at in the process title. Also, can you reproduce it with sshd in debug mode (eg /path/to/sshd -ddde)? If so, please attach (note: use "Create New Attachment") the debug log to this bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 948] high CPU in sshd after tcp_wrappers deny
- [Bug 948] high CPU in sshd after tcp_wrappers deny
- [PATCH]: Add tcp_wrappers protection to port forwarding
- [Bug 973] sshd behaves differently while doing syslog entries for tcpwrappers denied message, with -r and without -r option.
- rsync as a deliberately slow copy?