Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

sshd high CPU usage

filteredfiltered Member
in Help

I noticed on one of my servers that I'd see a spike in CPU usage to 20% for a few hours and then it'd drop. I set my alert threshold to be much lower so I could see what was going on when this happened. It would appear that sshd is occasionally consuming 15 - 20% CPU for a prolonged period of time in very short bursts. I realized fail2ban wasn't installed on this server, so I installed that and checked the sshd auth logs. Nothing abnormal in the auth logs, just a few random attempts every minute. This didn't seem to help. I'm not really sure what could be causing this, so I thought I'd see if anyone has any ideas? I will be dropping all traffic to port 22 to see if this helps over the next few days just to see if that helps. Overall resource usage is low, this is a database server that is not really being utilized. I'm more concerned with the potentially abnormal behavior than resource usage.

Monitoring - https://imgur.com/a/3r8z9Sf
sshd in top - https://imgur.com/a/nEgHpBU

Comments

  • egororegoror Member

    Move ssh port away from 22

  • layer7layer7 Member, Host Rep, LIR

    Hi,

    in general you could start the ssd with debug flags. That will spam your log but at least you would get a better insight of what sshd is doing.

    Before that, just like you already suggested, move sshd away to some other port or, if possible, maybe even bind it to 127.0.0.1 to make sure that no external event can be the cause.

    If you cant find anything, boot your system into the system rescue iso and check if the behavior is there. If its not, then you have a hint that your system might be hacked already. If its still there, then, well, things would become super ugly, maybe asking for some voodoo doctor to support you to get the bad ghost out of your server :p ;)

  • filteredfiltered Member

    @egoror said:
    Move ssh port away from 22

    None of the auth attempts were to port 22, so I'm not confident this would solve the issue

    @layer7 said:
    Hi,

    in general you could start the ssd with debug flags. That will spam your log but at least you would get a better insight of what sshd is doing.

    Before that, just like you already suggested, move sshd away to some other port or, if possible, maybe even bind it to 127.0.0.1 to make sure that no external event can be the cause.

    If you cant find anything, boot your system into the system rescue iso and check if the behavior is there. If its not, then you have a hint that your system might be hacked already. If its still there, then, well, things would become super ugly, maybe asking for some voodoo doctor to support you to get the bad ghost out of your server :p ;)

    I'll try that tomorrow if it happens again. It was happening overnight while I was sleeping, so I was glad to just be able to observe for a bit. My fear is it's malicious but...

    https://imgur.com/a/dtM7JAf You can see where I installed fail2ban and then you can see where I blocked port 22, so maybe that really was the issue... I'm definitely open to calling a voodoo priest if it doesn't work out

  • layer7layer7 Member, Host Rep, LIR

    Hi,

    if it was just a short time event, then you will actually not catch that now easily.

    So for now, simply observe. Good luck!

    Thanked by 1filtered
Sign In or Register to comment.