[GRLUG] Rogue SSH connections
Adam Tauno Williams
awilliam at whitemice.org
Sun Oct 6 20:04:59 EDT 2013
On Sun, 2013-10-06 at 17:53 -0500, L. V. Lammert wrote:
> When one does fstat [lsof] on a BSD box, it returns detailed information
> about open files, e.g.:
> lvl ssh 19533 4* internet stream tcp 0xd9041800 \
> 22.214.171.124:3160 --> 126.96.36.199:2206
> How does one get similar info on Linux? One of our workgroup servers is
> opening ssh connections to a BSD server and leaving them open, but I
> cannot figure out what is causing them. Need to track back the IP to a
> PID/process on the Linux box for a clue.
lsof is 'standard' UNIX. It works on LINUX, BSD, AIX, Slowaris, etc...
If you want to see details on a specific socket connection then "ss" can
tell you much much more. See slide 20 of 20 from the above link.
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the grlug