# ssh ESTABILISHED to unknown ip

## recupero

Upon noticing some activity on eth0, I discover some unwanted(?) traffic.

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0    720 192.168.1.9:ssh         adsl89-120-218-10:22189 ESTABLISHED

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ]         DGRAM                    777      @/org/kernel/udev/udevd

unix  3      [ ]         STREAM     CONNECTED     500774   

unix  3      [ ]         STREAM     CONNECTED     500773   

unix  3      [ ]         DGRAM                    780      

unix  3      [ ]         DGRAM                    779      

Where 192.168.1.9 is my host, to which ssh is open.

I cannot find any trace of this connection on the /var/log/wtmp

What is this connection?

----------

## NeddySeagoon

recupero,

Check your /var/log/sshd logs to see if an uninvited guest got in via ssh.

Look at all your other logs too.  89-120-218-10 is in Romania, so it looks bad.

If you have been compromised, you can't salvage anything from the install. You need to find out how they got in and fix it, and reinstall.

Try chkrootkit and rootkit hunter.  Your guests need not have got root to make use of your system though.

----------

## eccerr0r

Of course it's possible something nefarious going on.  While it may be true that someone may have broken in and actually is actively using your computer, it's somewhat more likely that someone's just connected to your SSH port and just sitting there trying combinations of users/passwords to try to get in, but unsuccessful.  "Established" TCP connection does not necessarily mean "Authenticated" (i.e. logged in) session.

While this latter scenario "may" seem benign, it's still something to think about.  However, as long as you have good passwords or are using PKI you should be fine.

I think pretty much all linux boxes around the world with ssh port at 22 and open to the world are being hammered by random ssh requests, trying to find insecure boxes... You might just be attacked by that and caught it in the act.  Just hope it was an unsuccessful attempt.

----------

## d2_racing

I suggest that you install iptables on your box my friend and double check your log.

Maybe it's only a dictionnary attack.

You can counter that with that kind of iptables lines :

```

$IPT -A INPUT -i $wan -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set

$IPT -A INPUT -i $wan -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

```

This will reject an ip for 10 minutes if it try to launch a brute force attack on your ssh port.

----------

## cach0rr0

It's really almost getting to the point where ip-based blockages are pointless. Rather, things like fail2ban and whatnot...I no longer get any use out of it. 

And key-based auth is a no-go for me. 

ANYWAY, as someone else mentioned this is just an established connection, not an authenticated session. It could be a connection attempt, it could be one of the zillion random probes, key is to look for failed authentication attempts. 

NB: scenarios like this have been all too common 

```

/var/log/auth.log:Jan  1 18:59:02 gentoob0x sshd[20613]: Failed keyboard-interactive/pam for invalid user changwc from 190.146.246.36 port 6257 ssh2

/var/log/auth.log:Jan  1 19:11:15 gentoob0x sshd[20729]: Failed keyboard-interactive/pam for invalid user changyu from 190.146.246.36 port 21690 ssh2

/var/log/auth.log:Jan  1 19:35:28 gentoob0x sshd[20958]: Failed keyboard-interactive/pam for invalid user chao from 194.78.48.108 port 61083 ssh2

/var/log/auth.log:Jan  1 19:47:42 gentoob0x sshd[21055]: Failed keyboard-interactive/pam for invalid user chao from 80.169.105.159 port 45826 ssh2

/var/log/auth.log:Jan  1 19:59:55 gentoob0x sshd[21193]: Failed keyboard-interactive/pam for invalid user chao from 194.78.48.108 port 56792 ssh2

/var/log/auth.log:Jan  1 20:36:38 gentoob0x sshd[21514]: Failed keyboard-interactive/pam for invalid user chao from 219.234.95.164 port 28775 ssh2

/var/log/auth.log:Jan  1 21:01:10 gentoob0x sshd[21754]: Failed keyboard-interactive/pam for invalid user chaohwa from 190.146.246.36 port 3441 ssh2

/var/log/auth.log:Jan  1 21:13:22 gentoob0x sshd[21859]: Failed keyboard-interactive/pam for invalid user chaot from 211.115.234.143 port 49276 ssh2

/var/log/auth.log:Jan  1 21:37:44 gentoob0x sshd[22095]: Failed keyboard-interactive/pam for invalid user chayn from 78.43.82.153 port 51522 ssh2

/var/log/auth.log:Jan  1 21:50:04 gentoob0x sshd[22223]: Failed keyboard-interactive/pam for invalid user chbi from 84.246.69.21 port 34402 ssh2

/var/log/auth.log:Jan  1 22:50:45 gentoob0x sshd[22804]: Failed keyboard-interactive/pam for invalid user cheang from 58.247.222.163 port 37210 ssh2

/var/log/auth.log:Jan  1 23:03:02 gentoob0x sshd[22909]: Failed keyboard-interactive/pam for invalid user chekgiau from 190.146.246.36 port 29948 ssh2

/var/log/auth.log:Jan  1 23:27:34 gentoob0x sshd[23136]: Failed keyboard-interactive/pam for invalid user chen from 190.146.246.36 port 12162 ssh2

/var/log/auth.log:Jan  1 23:39:39 gentoob0x sshd[23265]: Failed keyboard-interactive/pam for invalid user chen from 200.13.253.122 port 49480 ssh2

/var/log/auth.log:Jan  2 00:07:29 gentoob0x sshd[24048]: Failed keyboard-interactive/pam for invalid user chen from 121.52.215.180 port 38445 ssh2

/var/log/auth.log:Jan  2 00:19:51 gentoob0x sshd[24175]: Failed keyboard-interactive/pam for invalid user chen from 201.82.6.7 port 51663 ssh2

/var/log/auth.log:Jan  2 00:32:04 gentoob0x sshd[24298]: Failed keyboard-interactive/pam for invalid user chen from 190.146.246.36 port 22546 ssh2

/var/log/auth.log:Jan  2 00:56:26 gentoob0x sshd[24511]: Failed keyboard-interactive/pam for invalid user chencm from 194.78.48.108 port 32424 ssh2

```

Notice the same user, from multiple IP's, incrementing alphabetically - and there's no chance of the IP being spoofed; the botnets be on the prowl! Just says to me these fellas have shit tonnes of disposable bots, to be going after such a pointless target as myself. I mean, I'm fully aware their intentions should a compromise occur, but such evasion measures at the risk of wasting bots.

----------

## recupero

Thanks, 

would you kindly tell me what to configure in order to produce a 

/var/log/auth.log or a /var/log/sshd,

since upon a stardard configuration I just have the binary wtmp.

----------

## NeddySeagoon

recupero,

A logging daemon but a logger is a part of the standard install. I use metalog, as it rotates logs for you and the default settings seem to be pretty good.

----------

## recupero

9. Installing Necessary System Tools

....yep sometimes we dont read what we should read.

Thanks!

----------

## d2_racing

No problem, we have a lot to read the first time that we install a Gentoo box

----------

