* Alex Efros <powerman@powerman.name> [2007-10-21 01:20:51 +0300]:

>Hi!
>
>On Sat, Oct 20, 2007 at 06:11:26PM -0400, George Georgalis wrote:
>> it sounds like a signal is not reaching init, SIGPIPE?
>
>PIPE? You mean CHLD?
>
>> The following sed to default sshd_config
>> 	s/.*PasswordAuthentication.*/PasswordAuthentication no/
>> 	s/.*UsePam.*/UsePam no/
>> will really cut back the impact of bad internet on public sshd port,
>> of course you will only be able to use keys (PKI/RSA) to connect.
>
>Yeah, this is my default ssh configuration. :) But ssh worms anyway try to
>connect (they doesn't know is senseless :)) and so ssh fork new processes
>for these connections and these processes become unreaped zombies at some
>point.

The simplest thing to do would be to either use tcp_wrappers or run sshd
out of xinetd or (my favourite) ipsvd.  With some appropriate ACLs and
IP-based restrictions, you can reduce those attacks to *0* reaching sshd
as xinetd/ipsvd would deny them before even starting sshd.

-- 
Vincent Danen @ http://linsec.ca/