Results 1 to 17 of 17
  1. #1
    Join Date
    Dec 2004
    Posts
    224

    Is this a strange ssh process??

    I saw the following processes which made sshd critical some time ago. But now it has gone..

    ==============
    ps ax|grep ssh

    27472 ? S 0:00 sshd: unknown [net]
    27473 ? S 0:00 sshd: unknown [net]
    27478 ? S 0:00 sshd: unknown [net]
    27479 ? S 0:00 sshd: unknown [net]
    27480 ? S 0:00 sshd: unknown [net]
    27481 ? S 0:00 sshd: unknown [net]
    27482 ? S 0:00 sshd: unknown [net]
    27483 ? S 0:00 sshd: unknown [net]
    27484 ? S 0:00 sshd: unknown [net]
    27485 ? S 0:00 sshd: unknown [net]


    ==============

    # ll /proc/27485/
    total 0
    dr-xr-xr-x 3 sshd sshd 0 May 30 19:37 ./
    dr-xr-xr-x 267 root root 0 Mar 3 08:16 ../
    -r--r--r-- 1 root root 0 May 30 19:37 cmdline
    -r--r--r-- 1 root root 0 May 30 19:37 cpu
    lrwxrwxrwx 1 root root 0 May 30 19:37 cwd -> /var/empty/sshd/
    -r-------- 1 root root 0 May 30 19:37 environ
    lrwxrwxrwx 1 root root 0 May 30 19:37 exe -> /usr/sbin/sshd*
    dr-x------ 2 root root 0 May 30 19:37 fd/
    -r--r--r-- 1 root root 0 May 30 19:37 maps
    -rw------- 1 root root 0 May 30 19:37 mem
    -r--r--r-- 1 root root 0 May 30 19:37 mounts
    lrwxrwxrwx 1 root root 0 May 30 19:37 root -> /var/empty/sshd/
    -r--r--r-- 1 root root 0 May 30 19:37 stat
    -r--r--r-- 1 root root 0 May 30 19:37 statm
    -r--r--r-- 1 root root 0 May 30 19:37 status

    ==============

    # lsof -p 27472
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    sshd 27472 sshd cwd DIR 8,4 4096 6012939 /var/empty/sshd
    sshd 27472 sshd rtd DIR 8,4 4096 6012939 /var/empty/sshd
    sshd 27472 sshd txt REG 8,4 268956 557366 /usr/sbin/sshd
    sshd 27472 sshd mem REG 8,4 106896 541795 /lib/ld-2.3.2.so
    sshd 27472 sshd mem REG 8,4 28228 1228932 /usr/lib/libwrap.so.0.7.6
    sshd 27472 sshd mem REG 8,4 30488 540760 /lib/libpam.so.0.75
    sshd 27472 sshd mem REG 8,4 14832 540688 /lib/libdl-2.3.2.so
    sshd 27472 sshd mem REG 8,4 76508 540720 /lib/libresolv-2.3.2.so
    sshd 27472 sshd mem REG 8,4 12508 540726 /lib/libutil-2.3.2.so
    sshd 27472 sshd mem REG 8,4 52584 1228855 /usr/lib/libz.so.1.1.4
    sshd 27472 sshd mem REG 8,4 91004 540692 /lib/libnsl-2.3.2.so
    sshd 27472 sshd mem REG 8,4 972156 540755 /lib/libcrypto.so.0.9.7a
    sshd 27472 sshd mem REG 8,4 385252 8536088 /usr/kerberos/lib/libkrb5.so.3.1
    sshd 27472 sshd mem REG 8,4 72552 8536078 /usr/kerberos/lib/libk5crypto.so.3.0
    sshd 27472 sshd mem REG 8,4 5540 8536072 /usr/kerberos/lib/libcom_err.so.3.0
    sshd 27472 sshd mem REG 8,4 1571796 2687137 /lib/tls/libc-2.3.2.so
    sshd 27472 sshd mem REG 8,4 8548 540741 /lib/liblaus.so.1.0.0
    sshd 27472 sshd mem REG 8,4 76712 8536074 /usr/kerberos/lib/libgssapi_krb5.so.2.2
    sshd 27472 sshd mem REG 8,4 51916 540708 /lib/libnss_files-2.3.2.so
    sshd 27472 sshd mem CHR 1,5 105800 /dev/zero
    sshd 27472 sshd 0u CHR 1,3 99822 /dev/null
    sshd 27472 sshd 1u CHR 1,3 99822 /dev/null
    sshd 27472 sshd 2u CHR 1,3 99822 /dev/null
    sshd 27472 sshd 3u unix 0xe5b21e40 2905064552 socket
    sshd 27472 sshd 4u IPv4 -1389902764 TCP IP1sh->IP2:60763 (ESTABLISHED)
    sshd 27472 sshd 6w FIFO 0,5 2905064533 pipe

  2. #2
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,306
    sshd uses the process commandline to show its current status; these are just stranded processes which you can kill off, I expect.

    Kevin

  3. #3
    Join Date
    Dec 2004
    Posts
    224
    okay
    then, what is that line at the bottom of lsof mean?

    "sshd 27472 sshd 4u IPv4 -1389902764 TCP IP1sh->IP2:60763 (ESTABLISHED)"

    can you tell me what you mean by stranded process?

  4. #4
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,306
    It looks like an established connection from a remote system to your SSH daemon. The IP address is written as a 32-bit number, apparently - I don't know why, lsof on BSD doesn't do that.

    My belief is that the remote end connected but didn't authenticate. Until they disconnect or a timeout kicks in, the process will remain.

    Kevin

  5. #5
    Join Date
    Dec 2004
    Posts
    224
    You are right Kevin!

    I see the following in /var/log/secure

    May 30 18:24:11 servername sshd[23970]: Did not receive identification string from 212.161.14.141

    sshd[26870]: Failed password for root from 212.161.14.141 port 59887 ssh2
    sshd[27462]: Failed password for illegal user rick from 212.161.14.141 port 60763 ssh2
    etc etc..

    212.161.14.141 is the IP2 I mentioned in lsof. The IP is already blocked by BFD.

  6. #6
    Join Date
    Sep 2002
    Location
    Behind your monitor.
    Posts
    569
    We are getting similar lines, but I can only get to them via WHM because at a certain point, ssh no longer allows me access, the only way I have come to fix this is a reboot as restarting the ssh server does not do anything. The load continues up from 10-20 then from 20-30 and so on until you get sick of looking at it. The rest of the server services seem to be running stable, even at such high loads but the problem is why did this just start happening? It seems like it came about in CentOS 3.5 not sure what updates or breakage might have occured in this release.

    sshd: unknown [net]
    sshd: unknown [priv]

    Perhaps changing the port SSH runs on would help? I think these are a result of brute force attempts and then ssh hanging on failed attempts to the point where thay are all used up and legit users cannot connect. Any suggestions?
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  7. #7
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    you can always run

    netstat

    and

    last -n 15
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  8. #8
    Join Date
    Sep 2002
    Location
    Behind your monitor.
    Posts
    569
    You could if you could gain a shell. Thats the point I cannot get into a shell becuase lately the connections are getting tied up, even if no one is actually logged in.
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  9. #9
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,074
    Go into WHM and restart the SSH process, then log in to shell before they get used up again?
    Your one stop shop for decentralization

  10. #10
    Join Date
    Sep 2002
    Location
    Behind your monitor.
    Posts
    569
    Thats what I tried orginally. Restarting SSH does not do it.
    Using view cpu usage and trying to kill the process does not do it either. They are stuck until reboot. And they appear to slowly leak memory and cpu if you let it sit for a day the load climbs about 10 points per day.

    I have seen this on at least 4 different machines now.
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  11. #11
    Join Date
    Mar 2002
    Location
    Horsham, Victoria, Aust
    Posts
    210
    Ive noticed this a few times myself and youre right SSH locks up and no about of restarting the process will resolve the issue until eventually the server bogs down and locks up and only a reboot of the server resolves it.
    Alpine Hosting - Australian & US General and Reseller Hosting - Dual Xeon Servers - 24/7 Support
    Dedicated Servers Australia -Australian Managed and Unmanaged Servers and Co-Location

  12. #12
    Join Date
    Sep 2002
    Location
    Behind your monitor.
    Posts
    569
    Check the audit log, and disable it. thats what had to be done for me.
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  13. #13
    One precautionary measure would be to restart it and edit the sshd_config file to run it on a nonstandard port to avoid bruteforce scanners scouring the internet. Another measure would be to write a script to auto add firewall rules on brute force attacks such as these. Hope this helps.
    <<Please see rules for signature setup>>

  14. #14
    Quote Originally Posted by Gump
    Check the audit log, and disable it. thats what had to be done for me.
    Hi Gump

    I'm seeing the same problems on some servers.

    Could you please explain exactly what you did and why?

    Regards,
    Suhail.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  15. #15
    Check var/log/messages to find if there is any suspicous IP's are repeating a lot.

  16. #16
    Join Date
    Nov 2005
    Location
    Denmark
    Posts
    189
    you might wanna set your ssh daemon to ban ips after x tries (5?), that should take off the load from it, and of course make sure you dont use weak passwords
    Systems Developer/Programmer

  17. #17
    Join Date
    Sep 2005
    Location
    NYC
    Posts
    61
    grrr. just noticed same thing happening on a server of mine
    www.GetHoste.net
    support@gethoste.net Aim: GHeSupport
    Reliable Hosting, Commited To Excellence.
    Shared Hosting | Reseller Accounts | ShoutCast Hosting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •