I’ve tried to find out why I had some strange connections on my secure log file. Something like this :
Apr 23 11:35:43 li192-61 sshd: Did not receive identification string from 127.0.0.1 Apr 23 11:35:49 li192-61 sshd: Connection closed by UNKNOWN
I had many of these connections, each minute precisely. So I used the
netstat command as
netstat -ta --numeric-ports --program | grep 22 to get more info. I got this (I removed my own ssh connection) :
tcp 0 0 localhost:56145 localhost:22 TIME_WAIT -
Next I tried to find which one is using this port, so I used
lsof -i :22 and I got nothing except my own connection.
After I launched
netstatcommand again, I got this :
tcp 0 0 localhost:45979 localhost:22 TIME_WAIT -
A new port is using as remote destination from localhost through port 22. It’s the same thing each minute.
I have no more ideas right now. So this my question :
Is there a way to get all process which are using ssh connection or get all process which are attempting to connect to a specific port (e.g: 45979) ?
Thank you for your time !
There is a post here which suggests that this type of thing results when you have 2 competing sshd processes trying to bind to the same port.
You might want to get a local console, and run
service sshd stop and then check
ps -ef | grep sshd for any rogue sshd servers that are not under the control of the service wrapper.
- CYGWIN sshd “port 22: Connection refused”
- How to allow remote connections from non localhost clients with ssh remote port forwarding?
- SSH connection to localhost ssh_exchange_identification: Connection closed by remote host
- Port forwarding for localhost traffic over SSH to production machine database
- strange sshd log message every minute
Leave a comment
- Windows File Permissions and Attributes
- What is the easiest way to upgrade my existing Perl 5.14 to Perl 5.16 on FreeBSD 9 using the ports system?
- Know if mysql has done its job
- Redirect https .com to https .co.uk without a valid SSL cert on .com without DNS change
- Why is it a bad idea to use customer email as from address