[Cialug] Rogue SSH Connections
L. V. Lammert
lvl at omnitec.net
Mon Oct 7 15:01:25 CDT 2013
Having a problem with ssh connections being opened from a Linux box to a
BSD box (here in the shop), .. in the example below, the Linux box tried
to open an ssh connection from 60301 on .252,.. which leaves the two
connections open - one lvl (me), and one root:
On the BSD box:
lvl sshd 28242 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
root sshd 9103 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
tcpdump shows the connection from .252:
14:28:15.259420 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: S
2950403490:2950403490(0) win 14600 <mss 1460,sackOK,timestamp 405541957
0,nop,wscale 7> (DF)
14:28:15.259723 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: . ack
1733911734 win 115 <nop,nop,timestamp 405541957 3356340392> (DF)
BUT there is no process using 60301 on the Linux box:
# lsof | grep 60301
<blank>
Something is opening a connection and then dropping it on the Linux box -
this occurrs multiple times a day and eventually blocks sshd from
accepting a connection.
There is a keypair for user lvl (me), but with it disabled nothing
changed.
Any more thoughts on how to isolate the source on the Linux box?
Thanks!
Lee
More information about the Cialug
mailing list