droberson / ssh-honeypot

Fake sshd that logs ip addresses, usernames, and passwords.
MIT License
620 stars 240 forks source link

ssh-honeypot creates hundreds of forks, consuming all memory #21

Open vegaelle opened 3 years ago

vegaelle commented 3 years ago

Hi. I’ve been using ssh-honeypot for a few weeks now, and i noticed that the server has a very concerning ram usage. This server is a firewall, and only uses iptables (kernel-space) and ssh-honeypot. Here’s my monitoring graph for the last 7 days:

2020-12-02-110820_grim

The drops in memory consumption are when i restart the ssh-honeypot service (using openrc). Right now, there’s 425 honeypot processes running.

Why is ssh-honeypot behaving like this, and what can be done to prevent crashing my server every 2 days if i don’t stop manually the service?

husixu1 commented 3 years ago

I faced the same issue. After a bit of debugging and digging into the source code, I found that in the handle_ssh_auth() function, the call to ssh_handle_key_exchange() further calls ssh_handle_packets_termination() to handle packets, which is blocking and uses an infinite timeout by default. And if the authentication is interrupted midway before the polling starts, the subprocess blocks infinitely, causing a memory (and process number) leak.

So the solution is to set a valid timeout for the allocated session. In the main() function, below session = ssh_new ();, add:

long timeout = 5; // set default timeout to 5s
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, (void *)(&timeout));

And that should fix this issue (at least it works for me).

vegaelle commented 2 years ago

Hi. Would it be possible to integrate this patch? The project doesn’t seem active anymore. @jorgeverastegui is your fork intented to be a take-over?

droberson commented 2 years ago

added.