I've tried to find out why I had some strange connections on my secure log file. Something like this :
Apr 23 11:35:43 li192-61 sshd[11651]: Did not receive identification string from 127.0.0.1
Apr 23 11:35:49 li192-61 sshd[11661]: Connection closed by UNKNOWN
I had many of these connections, each minute precisely. So I used the netstat command as netstat -ta --numeric-ports --program | grep 22 to get more info. I got this (I removed my own ssh connection) :
tcp 0 0 localhost:56145 localhost:22 TIME_WAIT -
Next I tried to find which one is using this port, so I used lsof -i :22 and I got nothing except my own connection.
After I launched netstatcommand again, I got this :
tcp 0 0 localhost:45979 localhost:22 TIME_WAIT -
A new port is using as remote destination from localhost through port 22. It's the same thing each minute.
I have no more ideas right now. So this my question :
Is there a way to get all process which are using ssh connection or get all process which are attempting to connect to a specific port (e.g: 45979) ?
Thank you for your time !
Best Answer
There is a post here which suggests that this type of thing results when you have 2 competing sshd processes trying to bind to the same port.
You might want to get a local console, and run
service sshd stopand then checkps -ef | grep sshdfor any rogue sshd servers that are not under the control of the service wrapper.