[PLUG] unusually slow ssh connection

Paul Heinlein heinlein at madboa.com
Mon Oct 18 14:27:01 UTC 2004


On Mon, 18 Oct 2004, Bryan Murdock wrote:

> I ssh'ed from work into my home box just now and the connection 
> seemed really slow.  My first instinct was to browse the logs and I 
> found about a million attempts to log into my box like this one:
>
> Oct 18 07:39:13 murdockfamily sshd(pam_unix)[11742]: authentication
> failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=210.116.107.105  user=root
> Oct 18 07:39:15 murdockfamily sshd[11742]: Failed password for root
> from ::ffff:210.116.107.105 port 42409 ssh2

This sort of attempt at breaking in via weak ssh passwords is, sadly, 
all too common. You can reduce the number of incidents by running ssh 
on a non-standard port (personally, I like port 222).

The only other alternative of which I'm aware is to block inbound ssh 
packets from certain IP blocks; tcp_wrappers or iptables can 
accomplish this. I've not taken that route, however, because I like 
the idea that I can ssh into my machines from anywhere on the 
Internet.

> This was all around 7 am this morning, none lately.  Would a bunch 
> of failed attempts like this cause any slowdown hours later?  Is 
> there something else going on here?

It could be slow or badly configured DNS. If you login to your system 
and type "host some.fqdn" (where 'some.fqdn' == an obscure Internet 
hostname that's unlikely to be cached on your system), does host 
return a hostname quickly?

--Paul Heinlein <heinlein at madboa.com>




More information about the PLUG mailing list