bugzilla-daemon at mindrot.org
2004-Oct-31 19:59 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948
Summary: high CPU in sshd after tcp_wrappers deny
Product: Portable OpenSSH
Version: 3.9p1
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: atlunde at panix.com
CC: atlunde at panix.com
We are using OpenSSH sshd built with the tcp_wrappers library, and rules set to
deny access not coming from our local domain.
Recently we have seen cases where an sshd process was left running and consuming
a large amount of CPU. Looking at the logs and the time the process was started,
it appears that the trigger was a denied ssh connection blocked by tcp_wrappers.
(I suspect this was the password guessing attack that's been going around
recently, because we've gotten few blocked ssh connections in the past, but
I
can't say for sure.)
This was on Solaris 8, openssh-3.9p1, OpenSSL 0.9.7d, tcp_wrappers 7.6
uname -a
SunOS XXXXXX 5.8 Generic_108528-18 sun4u sparc SUNW,Sun-Fire-280R
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-31 20:05 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948 ------- Additional Comments From atlunde at panix.com 2004-11-01 07:05 ------- Created an attachment (id=737) --> (http://bugzilla.mindrot.org/attachment.cgi?id=737&action=view) This is the shell script used to configure this build of openssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Nov-02 11:01 UTC
[Bug 948] high CPU in sshd after tcp_wrappers deny
http://bugzilla.mindrot.org/show_bug.cgi?id=948
------- Additional Comments From dtucker at zip.com.au 2004-11-02 22:01 -------
The code that drops the connection is pretty simple and there's no obvious
way
for it to get into a loop:
if (!hosts_access(&req)) {
debug("Connection refused by tcp wrapper");
refuse(&req);
/* NOTREACHED */
fatal("libwrap refuse returns");
}
When it happens, can you run /usr/ucb/ps auxwww and pick out the pid of the
errant process? It should have a few hints about what stage the process is at
in the process title.
Also, can you reproduce it with sshd in debug mode (eg /path/to/sshd -ddde)? If
so, please attach (note: use "Create New Attachment") the debug log to
this bug.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 948] high CPU in sshd after tcp_wrappers deny
- [Bug 948] high CPU in sshd after tcp_wrappers deny
- [PATCH]: Add tcp_wrappers protection to port forwarding
- [Bug 973] sshd behaves differently while doing syslog entries for tcpwrappers denied message, with -r and without -r option.
- rsync as a deliberately slow copy?