Ubuntu – Netstat showing multiple connections for on ssh login

netstatsshUbuntu

I connect to my server via ssh. I am the only person who has access to connect to the server. After connecting via ssh, I run the following command:

sudo netstat -tupn

The output includes the following two lines:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address
tcp        0      0 MY.SERVER.IP.ADDRESS:22       MY.HOME.IP.ADDRESS:54886     ESTABLISHED 18677/0
tcp        0    324 MY.SERVER.IP.ADDRESS:22       MY.HOME.IP.ADDRESS:55096     ESTABLISHED 18843/1

Based on my limited knowledge, it seems like these two lines from the output are related to my ssh connection. I believe this is true because the port is 22, and the foreign address is my home IP address.

I'm trying to understand what these 2 lines represent. Why are there two connections shown for my single ssh connection?

Also, would netstat a good tool to use to see if someone has gained unauthorized access to my server? If someone did, would I see their connection in the netstat output?

Best Answer

The lines appear to indicate 2 active (ESTABLISHED state) ssh connections from your home machine (one maybe from an scp operation in progress or a ssh session from a different terminal or some backgrounded shell?).

The lines include the PIDs for the processes they correspond to on the last column, 18677 and 18843 in your case. You can check what processes they are (ps -ef | grep <PID>). For normal ssh connections they'd be sshd processes.

You can also find out which PIDs on your home machine they correspond to by running sudo netstat -tupn on your home machine, you'd see something along these lines (note the matching IP_ADDRESS:PORT_NUM values but with the local and foreign/remote addresses columns reversed):

Proto Recv-Q Send-Q Local Address                  Foreign Address             State       PID/...

tcp        0      0 MY.HOME.IP.ADDRESS:54886       MY.SERVER.IP.ADDRESS:22     ESTABLISHED PID1/...
tcp        0      0 MY.HOME.IP.ADDRESS:55096       MY.SERVER.IP.ADDRESS:22     ESTABLISHED PID2/...

From the corresponding pids you can then find the corresponding processes, their parents, etc.

Yes, netstat is a good tool to use. As long as the unauthorized access doesn't manage to circumvent somehow the way in which netstat works (which IMHO is possible, but not very likely for common attacks) you should be able to see such active connections and maybe even traces of those terminating or very recently terminated (states likes TIME_WAIT or CLOSE_WAIT).

Best Answer

Related Solutions

Netstat reports PID that doesn’t exist – wtf and how to close it

Lots of TIME_WAIT connections in netstat (Windows Server 2008)

Related Topic