hey guys,
I've recently found a weird IP address amongst my ntop statistics.
I've managed to get a look at the connection through nethog:
Code:
NetHogs version 0.8.0
PID USER PROGRAM DEV SENT RECEIVED
10986 user sshd: user@pts/0 eth1 1293.875 165.113 KB
? root 192.168.0.10:22-118.123.213.47:42920 0.000 0.145 KB
? root unknown TCP 0.000 0.000 KB
TOTAL 1293.875 165.258 KB
but nethog does not report any PID.
[note: the PID 10986 is mine, I've left it there instead of grepping it away.]
the specified IP address is that of a SSH attacker that has been banned through iptables.
I don't understand whether this is some kind of connection generated by fail2ban or the iptables rdns, or something else.
should I be alerted?
any help's appreciated. thanks!