connexion SSHD with user sshd ? Help please

D

davkiller

Hello,

My English is bad, I am very sorry. I hope fear for nothing. Is it possible connecte ssh with user sshd ?

My configuration
Code: 
sshd_conf
PermitRootLogin no 
allowusers myuser (only)
allowgroups wheel (only)
Code: 
[root@*** /# sockstat 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
sshd     sshd       42639 3  tcp4   88.191.***.***:22     201.116.36.180:43344
sshd     sshd       42639 4  stream -> ??
root     sshd       42638 3  tcp4   88.191.***.***:22     201.116.36.180:43344
root     sshd       42638 6  stream -> ??
root     sshd       41836 3  tcp6   *:22                  *:*
root     sshd       41836 4  tcp4   *:22                  *:*
ddr****  sshd       41757 3  tcp4   88.191.***.***:22     MY IP:50175
ddr****  sshd       41757 4  stream -> ??
root     sshd       41753 3  tcp4   88.191.***.***:22     MY IP:50175
root     sshd       41753 5  stream -> ??

Thank you for your help.

David
 
May be OK. You have removed potentially relevant information from your command output, and it's hard to know what is going on without it. For starters, you may wish to use:
# sockstat -4c
Less noise in that output.

As for the connected IP:
Code: 
~> dig -x 201.116.36.180

;; ANSWER SECTION:
180.36.116.201.in-addr.arpa. 89786 IN	PTR	static.customer-201-116-36-180.uninet-ide.com.mx.

Is that unexpected? If so, you may wish to look at output from:
# fstat -p 42639
 
Thank you very much.

here it is me. But 201.116.36.180 it is unknow!
Code: 
[root@guf /]# sockstat -4c
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
ddr      sshd       41757 3  tcp4   88.191.227.100:22     82.232.73.201:50175
root     sshd       41753 3  tcp4   88.191.227.100:22     82.232.73.201:50175
ddr      sshd       24601 3  tcp4   88.191.227.100:22     82.232.73.201:46115
root     sshd       24598 3  tcp4   88.191.227.100:22     82.232.73.201:46115
ddr      sshd       71127 3  tcp4   88.191.227.100:22     88.172.161.114:59213
root     sshd       71123 3  tcp4   88.191.227.100:22     88.172.161.114:59213
ddr      sshd       65655 3  tcp4   88.191.227.100:22     88.172.161.114:54000
root     sshd       65607 3  tcp4   88.191.227.100:22     88.172.161.114:54000

Code: 
[root@** /]# fstat -p 43877
USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W
sshd     sshd       43877 root /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877   wd /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877 jail /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877 text /usr     5958662 -r-xr-xr-x  194032  r
sshd     sshd       43877    0 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    1 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    2 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    3* internet stream tcp c85dfae0
sshd     sshd       43877    4* local stream c4352348 <-> c43517e0
sshd     sshd       43877    5* pipe c41fa874 <-> c41fa7bc      0 rw

My question is : is it dangerous for my server ?
 
Have you made any changes to sshd_config(5)? Specifically, are you using ChrootDirectory?

Check /var/log/auth.log to see if a user named "sshd" has actually authenticated. (Not likely. It is a system / service account.)

Search for the offending IP in that log file. He may just be launching a dictionary attack against your server. Remember, you are only seeing established TCP connections with the sockstat(1) output. You are not looking at authenticated sessions. Assuming he has not logged in, and that you're using and enforcing strong passwords, and that you keep your FreeBSD system up to date, I would not worry about it too much.
 
You must log in or register to reply here.
Back
Top