<p dir="ltr">Check for crons? Enable network audit logs on selinux? Flush the connections on the BSD box and see if they return.</p>
<div class="gmail_quote">On Oct 7, 2013 3:58 PM, "L. V. Lammert" <<a href="mailto:lvl@omnitec.net">lvl@omnitec.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Got one! The Linux box tried to open an ssh connection from 60301 on .252,<br>
.. which leaves the two connections described previously.<br>
<br>
On the BSD box:<br>
<br>
lvl sshd 28242 5* internet stream tcp 0xd8fcc7ec <a href="http://206.197.251.191:2206" target="_blank">206.197.251.191:2206</a> <-- <a href="http://206.197.251.252:60301" target="_blank">206.197.251.252:60301</a><br>
root sshd 9103 5* internet stream tcp 0xd8fcc7ec <a href="http://206.197.251.191:2206" target="_blank">206.197.251.191:2206</a> <-- <a href="http://206.197.251.252:60301" target="_blank">206.197.251.252:60301</a><br>
<br>
tcpdump shows the connection from .252:<br>
<br>
14:28:15.259420 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: S<br>
2950403490:2950403490(0) win 14600 <mss 1460,sackOK,timestamp 405541957<br>
0,nop,wscale 7> (DF)<br>
14:28:15.259723 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: . ack<br>
1733911734 win 115 <nop,nop,timestamp 405541957 3356340392> (DF)<br>
<br>
BUT there is no process using 60301 on the Linux box:<br>
<br>
# lsof | grep 60301<br>
<br>
<blank><br>
<br>
Something is opening a connection and then dropping, .. there is a keypair<br>
for user lvl (me), but with it disabled nothing changed.<br>
<br>
Any more thoughts on how to isolate the source on the Linux box?<br>
<br>
Thanks!<br>
<br>
Lee<br>
_______________________________________________<br>
grlug mailing list<br>
<a href="mailto:grlug@grlug.org">grlug@grlug.org</a><br>
<a href="http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug" target="_blank">http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug</a><br>
</blockquote></div>