Ip addresses that connecting via SSH.

Issues related to configuring your network
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Ip addresses that connecting via SSH.

Post by hack3rcon » 2021/01/10 12:38:40

Hello,
I did below command to see the SSH connections:

Code: Select all

$ netstat -nat | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 172.20.100.63:22        X.X.X.X:3054            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:3702            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:4230            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:4678            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:3988            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:4866            ESTABLISHED
tcp        0      0 172.20.100.63:22        172.21.50.63:40456      ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:2430            ESTABLISHED
tcp        0      0 172.20.100.63:22        X.X.X.X:3406            ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN 
And:

Code: Select all

$ w
 16:00:43 up 138 days, 27 min,  5 users,  load average: 0.04, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
User   pts/4    172.21.50.63     15:55    1.00s  0.10s  0.01s w
Are that IP addresses really connected to my server? How can I sure?

Thank you.

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Ip addresses that connecting via SSH.

Post by BShT » 2021/01/11 17:18:53

yes, they are or they are trying to brute force you


look at
sudo cat /var/log/secure

and install fail2ban

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Ip addresses that connecting via SSH.

Post by tunk » 2021/01/11 18:20:14

You could also try the lastb command.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Ip addresses that connecting via SSH.

Post by hack3rcon » 2021/01/12 20:17:23

BShT wrote:
2021/01/11 17:18:53
yes, they are or they are trying to brute force you


look at
sudo cat /var/log/secure

and install fail2ban
Any success?

Code: Select all

# cat /var/log/secure
Jan 10 15:55:30 server sshd[1843156]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 10 16:02:35 server sshd[1843156]: pam_unix(sshd:session): session closed for user jason
Jan 10 17:38:08 server sshd[1846220]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 10 17:38:29 server sshd[1846220]: pam_unix(sshd:session): session closed for user jason
Jan 11 16:13:48 server sshd[1886539]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 11 16:15:52 server sshd[1886539]: pam_unix(sshd:session): session closed for user jason
Jan 11 23:00:02 server systemd[1898725]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jan 12 22:26:54 server sshd[1943706]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:28:39 server sudo[1943925]:  jason : TTY=pts/4 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:28:39 server sudo[1943925]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:28:39 server sudo[1943925]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:28:39 server su[1943934]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:28:39 server su[1943934]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:33:30 server sshd[1944061]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:33:42 server sudo[1944096]:  jason : TTY=pts/5 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:33:42 server sudo[1944096]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:33:42 server sudo[1944096]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:33:42 server su[1944105]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:33:42 server su[1944105]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:35:45 server sshd[1944153]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 22:35:50 server sudo[1944184]:  jason : TTY=pts/6 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 22:35:50 server sudo[1944184]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 22:35:50 server sudo[1944184]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 22:35:50 server su[1944192]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 22:35:50 server su[1944192]: pam_unix(su:session): session opened for user root by jason(uid=0)
Jan 12 22:36:06 server sshd[1944061]: pam_unix(sshd:session): session closed for user jason
Jan 12 22:36:06 server su[1944105]: pam_unix(su:session): session closed for user root
Jan 12 22:36:06 server sudo[1944096]: pam_unix(sudo:session): session closed for user root
Jan 12 22:36:40 server su[1944192]: pam_unix(su:session): session closed for user root
Jan 12 22:36:40 server sudo[1944184]: pam_unix(sudo:session): session closed for user root
Jan 12 22:36:42 server sshd[1944153]: pam_unix(sshd:session): session closed for user jason
Jan 12 23:38:41 server sshd[1946030]: pam_unix(sshd:session): session opened for user jason by (uid=0)
Jan 12 23:39:42 server sudo[1946102]:  jason : TTY=pts/5 ; PWD=/home/jason ; USER=root ; COMMAND=/bin/su
Jan 12 23:39:42 server sudo[1946102]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 12 23:39:42 server sudo[1946102]: pam_unix(sudo:session): session opened for user root by jason(uid=0)
Jan 12 23:39:42 server su[1946109]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jan 12 23:39:42 server su[1946109]: pam_unix(su:session): session opened for user root by jason(uid=0)

Post Reply