Issues related to configuring your network
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2021/01/10 12:38:40
Hello,
I did below command to see the SSH connections:
Code: Select all
$ netstat -nat | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 172.20.100.63:22 X.X.X.X:3054 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:3702 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:4230 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:4678 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:3988 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:4866 ESTABLISHED
tcp 0 0 172.20.100.63:22 172.21.50.63:40456 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:2430 ESTABLISHED
tcp 0 0 172.20.100.63:22 X.X.X.X:3406 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
And:
Code: Select all
$ w
16:00:43 up 138 days, 27 min, 5 users, load average: 0.04, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
User pts/4 172.21.50.63 15:55 1.00s 0.10s 0.01s w
Are that IP addresses really connected to my server? How can I sure?
Thank you.
-
BShT
- Posts: 583
- Joined: 2019/10/09 12:31:40
Post
by BShT » 2021/01/11 17:18:53
yes, they are or they are trying to brute force you
look at
sudo cat /var/log/secure
and install fail2ban
-
tunk
- Posts: 1204
- Joined: 2017/02/22 15:08:17
Post
by tunk » 2021/01/11 18:20:14
You could also try the lastb command.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2021/01/12 20:17:23
BShT wrote: ↑2021/01/11 17:18:53
yes, they are or they are trying to brute force you
look at
sudo cat /var/log/secure
and install fail2ban
Any success?
Code: Select all
# cat /var/log/secure
Jan 10 15:55:30 server sshd[1843156]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 10 16:02:35 server sshd[1843156]: pam_unix(sshd:session): session closed for user jason
Jan 10 17:38:08 server sshd[1846220]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 10 17:38:29 server sshd[1846220]: pam_unix(sshd:session): session closed for user jason
Jan 11 16:13:48 server sshd[1886539]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 11 16:15:52 server sshd[1886539]: pam_unix(sshd:session): session closed for user jason
Jan 11 23:00:02 server systemd[1898725]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jan 12 22:26:54 server sshd[1943706]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:28:39 server sudo[1943925]: jason : TTY=pts/4 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:28:39 server sudo[1943925]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:28:39 server sudo[1943925]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:28:39 server su[1943934]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:28:39 server su[1943934]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:33:30 server sshd[1944061]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:33:42 server sudo[1944096]: jason : TTY=pts/5 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:33:42 server sudo[1944096]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:33:42 server sudo[1944096]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:33:42 server su[1944105]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:33:42 server su[1944105]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:35:45 server sshd[1944153]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:35:50 server sudo[1944184]: jason : TTY=pts/6 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:35:50 server sudo[1944184]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:35:50 server sudo[1944184]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:35:50 server su[1944192]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:35:50 server su[1944192]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:36:06 server sshd[1944061]: pam_unix(sshd:session): session closed for user jason
Jan 12 22:36:06 server su[1944105]: pam_unix(su:session): session closed for user root
Jan 12 22:36:06 server sudo[1944096]: pam_unix(sudo:session): session closed for user root
Jan 12 22:36:40 server su[1944192]: pam_unix(su:session): session closed for user root
Jan 12 22:36:40 server sudo[1944184]: pam_unix(sudo:session): session closed for user root
Jan 12 22:36:42 server sshd[1944153]: pam_unix(sshd:session): session closed for user jason
Jan 12 23:38:41 server sshd[1946030]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 23:39:42 server sudo[1946102]: jason : TTY=pts/5 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 23:39:42 server sudo[1946102]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 23:39:42 server sudo[1946102]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 23:39:42 server su[1946109]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 23:39:42 server su[1946109]: pam_unix(su:session): session opened for user root by jason(uid=0)