Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-22-2017, 10:26 AM   #1
Registered: May 2014
Location: Hungary
Posts: 32

Rep: Reputation: Disabled
unknown ssh sessions

Hi Guys,

I need some help and I would like to know whether is there any way to find out which program tries to reach a remote network device via ssh?

Case: today I have noticed in one of my network device's log (cisco asa) there are lot of login attempts from a linux server. The network device and the server are in the same subnet. I dumped network traffic to find out that traffic is real or not. It turned out is real.
Then I tried to figure out which PID tries to connect via ssh but unfortunately it showed nothing.
tcpdump -n host x.x.x.x and dst port 22
watch -n 0.1 ss -4 -ntp dst x.x.x.x:22
Based on my dump these ssh sessions occur in very short period of time:
16:16:03.050811 IP x.x.x.x.54247 > x.x.x.x.22: Flags [S], seq 525917221, win 29200, options [mss 1460,sackOK,TS val 958899819 ecr 0,nop,wscale 7], length 0
16:16:03.052535 IP x.x.x.x.54247 > x.x.x.x.22: Flags [.], ack 1133753840, win 29200, length 0
16:16:03.053862 IP x.x.x.x.54247 > x.x.x.x.22: Flags [F.], seq 0, ack 1, win 29200, length 0
16:16:03.055985 IP x.x.x.x.54247 > x.x.x.x.22: Flags [R], seq 525917222, win 0, length 0
16:16:03.055999 IP x.x.x.x.54247 > x.x.x.x.22: Flags [R], seq 525917223, win 0, length 0
16:16:03.056005 IP x.x.x.x.54247 > x.x.x.x.22: Flags [R], seq 525917223, win 0, length 0
So now I don't know how I could step forward to find out what happens on that server.

Thank you in advance for any suggestion

Last edited by jogyulas; 11-22-2017 at 10:36 AM.
Old 11-22-2017, 10:39 AM   #2
Senior Member
Registered: Oct 2005
Location: Horgau, Germany
Distribution: Manjaro KDE, Win 10
Posts: 2,199

Rep: Reputation: 164Reputation: 164
Do you have a firewall before your network?

Then block this port.

Somebody tries to login into your server via ssh.
Old 11-22-2017, 10:41 AM   #3
Registered: Dec 2016
Location: Dublin
Distribution: Fedora
Posts: 70

Rep: Reputation: 4

From the given information I suggest the following:

- Capture all the traffic of the machine to port 22, not just the destination. If you see the tcpdump output you just shown one direction, and 0 bytes of payload. It would be interesting if there is l7 data exchange on that conversation.

- Check with netstat -napt if you can see the process that is generating that conversation.
- Use lsof to verify which process have tcp connections to 22 port.

This is the first actions that I will do.

Old 11-23-2017, 05:21 AM   #4
Registered: May 2014
Location: Hungary
Posts: 32

Original Poster
Rep: Reputation: Disabled
Hi camp0,

Ty for your respone. Firstly I tried to run lsof command with specific host: watch -n 0.1 "lsof -n -i tcp:22 | grep "x.x.x.x""
But unfortunately I saw nothing. Then I tried to run the previous command without grep: watch -n 0.1 "lsof -n -i tcp:22"
Here I can see some ssh connection periodically (every mins) and most of them are triggered by spine command because cacti runs on it. So I tried to test it by disabling cisco asa device in cacti to see what happens in its log. I saw there were no ssh session logs from linux server.
So my suspicion is that the ssh sessions are triggered by cacti but honestly I dont know how spine tries to collect data from devices and why it uses ssh for it.

Best regards,

Last edited by jogyulas; 11-23-2017 at 05:23 AM.
Old 11-24-2017, 04:17 AM   #5
Registered: Dec 2016
Location: Dublin
Distribution: Fedora
Posts: 70

Rep: Reputation: 4

If you tcpdump that connection may be we can guest what is trying to do it, on the tcpdump that you post there is no layer7 payload because you just capture the destination. However when you make a SSH connection there is some handshake messages that should be seen on the tcpdump and also are in plain text, for example SSH start the client sends this:
Server response:
And after some messages of encryption methods

And I can not see that in your tcpdump output, if you upload the capture will help, but my suspicious is that those connections are not real SSH.
Old 11-24-2017, 07:47 AM   #6
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,219
Blog Entries: 3

Rep: Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705
You can watch and automate tracking the offending process.


while read ip; do
    ps -h -o pid,user,cmd -p \
       $(lsof -t -i tcp@$ip:22);

done < <(
    tcpdump -n -l -q -p -i eth0 'port 22 and dst x.x.x.x' 2>/dev/null \
        | awk '{ sub(/\.[^.]+$/,"",$5); print $5; fflush(); }' 

exit 0;
Perhaps that is fast enough to catch it in the act so can then track down whether it is supposed to be doing what it is doing or not.

Edit: Or to avoid a potential race condition,

while read ip; do
    lsof -i tcp@$ip:22 | sed '1d';

Last edited by Turbocapitalist; 11-26-2017 at 01:00 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
is there a way to restrict ssh sessions to a specific ssh client? smbhat Linux - Networking 8 03-11-2009 08:36 AM
[priv] in SSH Sessions stefaandk Linux - Security 2 09-22-2006 01:05 PM
SSH and SFTP sessions BigLar Linux - General 3 04-26-2006 11:18 AM
SSH help, concerning sessions frokid879 Linux - Newbie 4 11-11-2005 12:22 PM
dead ssh sessions babroga Linux - Newbie 1 03-03-2002 09:16 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:32 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration