[PLUG] unusually slow ssh connection
Paul Heinlein
heinlein at madboa.com
Mon Oct 18 14:27:01 UTC 2004
On Mon, 18 Oct 2004, Bryan Murdock wrote:
> I ssh'ed from work into my home box just now and the connection
> seemed really slow. My first instinct was to browse the logs and I
> found about a million attempts to log into my box like this one:
>
> Oct 18 07:39:13 murdockfamily sshd(pam_unix)[11742]: authentication
> failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=210.116.107.105 user=root
> Oct 18 07:39:15 murdockfamily sshd[11742]: Failed password for root
> from ::ffff:210.116.107.105 port 42409 ssh2
This sort of attempt at breaking in via weak ssh passwords is, sadly,
all too common. You can reduce the number of incidents by running ssh
on a non-standard port (personally, I like port 222).
The only other alternative of which I'm aware is to block inbound ssh
packets from certain IP blocks; tcp_wrappers or iptables can
accomplish this. I've not taken that route, however, because I like
the idea that I can ssh into my machines from anywhere on the
Internet.
> This was all around 7 am this morning, none lately. Would a bunch
> of failed attempts like this cause any slowdown hours later? Is
> there something else going on here?
It could be slow or badly configured DNS. If you login to your system
and type "host some.fqdn" (where 'some.fqdn' == an obscure Internet
hostname that's unlikely to be cached on your system), does host
return a hostname quickly?
--Paul Heinlein <heinlein at madboa.com>
More information about the PLUG
mailing list