Results 1 to 17 of 17
Thread: Is this a strange ssh process??
-
05-30-2005, 07:50 PM #1Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Is this a strange ssh process??
I saw the following processes which made sshd critical some time ago. But now it has gone..
==============
ps ax|grep ssh
27472 ? S 0:00 sshd: unknown [net]
27473 ? S 0:00 sshd: unknown [net]
27478 ? S 0:00 sshd: unknown [net]
27479 ? S 0:00 sshd: unknown [net]
27480 ? S 0:00 sshd: unknown [net]
27481 ? S 0:00 sshd: unknown [net]
27482 ? S 0:00 sshd: unknown [net]
27483 ? S 0:00 sshd: unknown [net]
27484 ? S 0:00 sshd: unknown [net]
27485 ? S 0:00 sshd: unknown [net]
==============
# ll /proc/27485/
total 0
dr-xr-xr-x 3 sshd sshd 0 May 30 19:37 ./
dr-xr-xr-x 267 root root 0 Mar 3 08:16 ../
-r--r--r-- 1 root root 0 May 30 19:37 cmdline
-r--r--r-- 1 root root 0 May 30 19:37 cpu
lrwxrwxrwx 1 root root 0 May 30 19:37 cwd -> /var/empty/sshd/
-r-------- 1 root root 0 May 30 19:37 environ
lrwxrwxrwx 1 root root 0 May 30 19:37 exe -> /usr/sbin/sshd*
dr-x------ 2 root root 0 May 30 19:37 fd/
-r--r--r-- 1 root root 0 May 30 19:37 maps
-rw------- 1 root root 0 May 30 19:37 mem
-r--r--r-- 1 root root 0 May 30 19:37 mounts
lrwxrwxrwx 1 root root 0 May 30 19:37 root -> /var/empty/sshd/
-r--r--r-- 1 root root 0 May 30 19:37 stat
-r--r--r-- 1 root root 0 May 30 19:37 statm
-r--r--r-- 1 root root 0 May 30 19:37 status
==============
# lsof -p 27472
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 27472 sshd cwd DIR 8,4 4096 6012939 /var/empty/sshd
sshd 27472 sshd rtd DIR 8,4 4096 6012939 /var/empty/sshd
sshd 27472 sshd txt REG 8,4 268956 557366 /usr/sbin/sshd
sshd 27472 sshd mem REG 8,4 106896 541795 /lib/ld-2.3.2.so
sshd 27472 sshd mem REG 8,4 28228 1228932 /usr/lib/libwrap.so.0.7.6
sshd 27472 sshd mem REG 8,4 30488 540760 /lib/libpam.so.0.75
sshd 27472 sshd mem REG 8,4 14832 540688 /lib/libdl-2.3.2.so
sshd 27472 sshd mem REG 8,4 76508 540720 /lib/libresolv-2.3.2.so
sshd 27472 sshd mem REG 8,4 12508 540726 /lib/libutil-2.3.2.so
sshd 27472 sshd mem REG 8,4 52584 1228855 /usr/lib/libz.so.1.1.4
sshd 27472 sshd mem REG 8,4 91004 540692 /lib/libnsl-2.3.2.so
sshd 27472 sshd mem REG 8,4 972156 540755 /lib/libcrypto.so.0.9.7a
sshd 27472 sshd mem REG 8,4 385252 8536088 /usr/kerberos/lib/libkrb5.so.3.1
sshd 27472 sshd mem REG 8,4 72552 8536078 /usr/kerberos/lib/libk5crypto.so.3.0
sshd 27472 sshd mem REG 8,4 5540 8536072 /usr/kerberos/lib/libcom_err.so.3.0
sshd 27472 sshd mem REG 8,4 1571796 2687137 /lib/tls/libc-2.3.2.so
sshd 27472 sshd mem REG 8,4 8548 540741 /lib/liblaus.so.1.0.0
sshd 27472 sshd mem REG 8,4 76712 8536074 /usr/kerberos/lib/libgssapi_krb5.so.2.2
sshd 27472 sshd mem REG 8,4 51916 540708 /lib/libnss_files-2.3.2.so
sshd 27472 sshd mem CHR 1,5 105800 /dev/zero
sshd 27472 sshd 0u CHR 1,3 99822 /dev/null
sshd 27472 sshd 1u CHR 1,3 99822 /dev/null
sshd 27472 sshd 2u CHR 1,3 99822 /dev/null
sshd 27472 sshd 3u unix 0xe5b21e40 2905064552 socket
sshd 27472 sshd 4u IPv4 -1389902764 TCP IP1sh->IP2:60763 (ESTABLISHED)
sshd 27472 sshd 6w FIFO 0,5 2905064533 pipe
-
05-30-2005, 09:08 PM #2Web Hosting Master
- Join Date
- Apr 2001
- Location
- Pittsburgh, PA
- Posts
- 1,306
sshd uses the process commandline to show its current status; these are just stranded processes which you can kill off, I expect.
Kevin
-
05-30-2005, 09:13 PM #3Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
okay
then, what is that line at the bottom of lsof mean?
"sshd 27472 sshd 4u IPv4 -1389902764 TCP IP1sh->IP2:60763 (ESTABLISHED)"
can you tell me what you mean by stranded process?
-
05-30-2005, 09:20 PM #4Web Hosting Master
- Join Date
- Apr 2001
- Location
- Pittsburgh, PA
- Posts
- 1,306
It looks like an established connection from a remote system to your SSH daemon. The IP address is written as a 32-bit number, apparently - I don't know why, lsof on BSD doesn't do that.
My belief is that the remote end connected but didn't authenticate. Until they disconnect or a timeout kicks in, the process will remain.
Kevin
-
05-30-2005, 10:27 PM #5Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
You are right Kevin!
I see the following in /var/log/secure
May 30 18:24:11 servername sshd[23970]: Did not receive identification string from 212.161.14.141
sshd[26870]: Failed password for root from 212.161.14.141 port 59887 ssh2
sshd[27462]: Failed password for illegal user rick from 212.161.14.141 port 60763 ssh2
etc etc..
212.161.14.141 is the IP2 I mentioned in lsof. The IP is already blocked by BFD.
-
07-20-2005, 12:59 PM #6We Manage Everything.
- Join Date
- Sep 2002
- Location
- Behind your monitor.
- Posts
- 569
We are getting similar lines, but I can only get to them via WHM because at a certain point, ssh no longer allows me access, the only way I have come to fix this is a reboot as restarting the ssh server does not do anything. The load continues up from 10-20 then from 20-30 and so on until you get sick of looking at it. The rest of the server services seem to be running stable, even at such high loads but the problem is why did this just start happening? It seems like it came about in CentOS 3.5 not sure what updates or breakage might have occured in this release.
sshd: unknown [net]
sshd: unknown [priv]
Perhaps changing the port SSH runs on would help? I think these are a result of brute force attempts and then ssh hanging on failed attempts to the point where thay are all used up and legit users cannot connect. Any suggestions?★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
07-20-2005, 02:15 PM #7Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
you can always run
netstat
and
last -n 15Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
07-20-2005, 03:57 PM #8We Manage Everything.
- Join Date
- Sep 2002
- Location
- Behind your monitor.
- Posts
- 569
You could if you could gain a shell. Thats the point I cannot get into a shell becuase lately the connections are getting tied up, even if no one is actually logged in.
★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
07-20-2005, 07:57 PM #9
Go into WHM and restart the SSH process, then log in to shell before they get used up again?
Your one stop shop for decentralization
-
07-20-2005, 08:03 PM #10We Manage Everything.
- Join Date
- Sep 2002
- Location
- Behind your monitor.
- Posts
- 569
Thats what I tried orginally. Restarting SSH does not do it.
Using view cpu usage and trying to kill the process does not do it either. They are stuck until reboot. And they appear to slowly leak memory and cpu if you let it sit for a day the load climbs about 10 points per day.
I have seen this on at least 4 different machines now.★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
08-30-2005, 02:44 AM #11Junior Guru
- Join Date
- Mar 2002
- Location
- Horsham, Victoria, Aust
- Posts
- 210
Ive noticed this a few times myself and youre right SSH locks up and no about of restarting the process will resolve the issue until eventually the server bogs down and locks up and only a reboot of the server resolves it.
Alpine Hosting - Australian & US General and Reseller Hosting - Dual Xeon Servers - 24/7 Support
Dedicated Servers Australia -Australian Managed and Unmanaged Servers and Co-Location
-
08-30-2005, 11:24 AM #12We Manage Everything.
- Join Date
- Sep 2002
- Location
- Behind your monitor.
- Posts
- 569
Check the audit log, and disable it. thats what had to be done for me.
★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
08-30-2005, 12:01 PM #13Newbie
- Join Date
- Aug 2005
- Posts
- 25
One precautionary measure would be to restart it and edit the sshd_config file to run it on a nonstandard port to avoid bruteforce scanners scouring the internet. Another measure would be to write a script to auto add firewall rules on brute force attacks such as these. Hope this helps.
<<Please see rules for signature setup>>
-
11-05-2005, 04:52 PM #14Premium Member
- Join Date
- Jul 2004
- Posts
- 535
Originally Posted by Gump
I'm seeing the same problems on some servers.
Could you please explain exactly what you did and why?
Regards,
Suhail.OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
11-12-2005, 04:19 PM #15WHT Addict
- Join Date
- Mar 2005
- Posts
- 146
Check var/log/messages to find if there is any suspicous IP's are repeating a lot.
-
11-13-2005, 01:51 PM #16Junior Guru
- Join Date
- Nov 2005
- Location
- Denmark
- Posts
- 189
you might wanna set your ssh daemon to ban ips after x tries (5?), that should take off the load from it, and of course make sure you dont use weak passwords
Systems Developer/Programmer
-
11-17-2005, 12:52 AM #17Junior Guru Wannabe
- Join Date
- Sep 2005
- Location
- NYC
- Posts
- 61
grrr. just noticed same thing happening on a server of mine
www.GetHoste.net
support@gethoste.net Aim: GHeSupport
Reliable Hosting, Commited To Excellence.
Shared Hosting | Reseller Accounts | ShoutCast Hosting