[c-nsp] SSH Sessions on IOS

Paul Stewart pauls at nexicom.net
Sat Apr 30 09:55:57 EDT 2005 

One thing to add... this just happened to us on Friday...

I had asked a friend to take a look at something on one of our 6509's. 
Because he was on an IP that's not in our existing access lists, I temporarily
removed access-lists to our VTY ports.  After we discussed some stuff I forgot
to put the access-lists back on...

By later that afternoon, we had a user from a Verizon IP address hammered our
SSH on the switch driving the CPU to 99%.  It appeared the guy was opening an
SSH and dropping it shortly thereafter using 7 or 8 sessions at a time.  The
switch of course has to do key exchange causing some CPU cycles... with him
hammering, he almost killed the switch....

Long story short, make sure you have acess lists in place at all times to
protect which remote IP's can connect...:)

Paul


On Sat, 30 Apr 2005 10:32:06 +0100, Ryan O'Connell wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> "exec-timeout 30 0" on the vty  will also ensure you don't get
> sessions left hanging about.
> 
> On 27/04/2005 17:30, Dennis Peng wrote:
> 
> | If I understand you correctly, that situation can happen with
> | telnet as well. The router can't tell the difference between a user
> |  who is idle and user who has disappeared off the network because
> | there is no output generated toward the user without input from the
> |  user (unless you have debug/logs enabled or something). Try
> | "service tcp-keepalives-in".
> |
> | Dennis
> |
> | Mark Tinka [mtinka at africaonline.co.sz] wrote:
> |
> |> Hi all.
> |>
> |> Is it a bug in IOS to keep an SSH session active after a user
> |> disconnects without explicity logging out or exiting, or did I
> |> miss a step in the SSH setup?
> |>
> |> Mark.
> 
> - --
> ~         Ryan O'Connell - CCIE #8174
> <ryan at complicity.co.uk> - http://www.complicity.co.uk
> 
> I'm not losing my mind, no I'm not changing my lines,
> I'm just learning new things with the passage of time
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCc1CUoaLhvISWLh0RAkLRAKCHIpePQpmw3azJEXkK/WCZhCol7wCggw0v
> /u1MloHgB07Bpe89oF/sYXo=
> =6Rys
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


--

More information about the cisco-nsp mailing list