Unidentified SSH connections / unable to restrict or block

[halcyon2600]

I've tried everything I can think of, so here we go... maybe someone else has ran across this and hasn't documented.

This server has an excessive amount of established `sshd` connections that we haven't been able to identify.

System details:
ESXi 6.5 hosted VM
CentOS Linux release 7.4.1708 (Core)
WHM v66.0.23
Typical hosting setup with many Softaculous installs

Example of some things I've done so far:
[Removed Due to use of real domain names and IP addresses]

 

[cPanelMichael]

Hello,

Can you provide an example of the processes or connections that you see, ensuring not to use real domain names or IP addresses?

Thank you.

 

[halcyon2600]

Wow, ok apparently the forum bot (or admins) stripped out all of what I'd already provided so far.. including the part that didn't have domains and IP addresses..... thanks. I'll scrub the output (including confirmed black listed IPs) , and try to repost.

 

[halcyon2600]

I have replaced all IPs with x.x.x or just x-x-x and my servers and domains with <myserver> & <mydomain>. The who command shows only my session. Below you will see only a snippet of the sessions, I can provide full output if needed. There are between 20-52 sessions at any given time mapped to uid 0(root) and one other account WHM/Cpanel user account, most mapped to uid 0.

[[email protected] ~]# who -la
system boot 2017-09-14 03:27
LOGIN tty1 2017-09-20 00:29 69704 id=tty1
run-level 3 2017-09-14 03:31
root + pts/0 2017-09-21 10:43 . 95134 (my.ip.aaddress)
pts/1 2017-09-20 20:45 22534 id=ts/1 term=0 exit=0

---
ps aux | grep sshd

root 119925 0.0 0.0 146576 4764 ? Ss 01:08 0:00 sshd: unknown [priv]
sshd 119926 0.0 0.0 104908 2404 ? S 01:08 0:00 sshd: unknown [net]

---
netstat -na | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 84 x.x.x.203:22 82.x.x.x:47236 ESTABLISHED
tcp 0 84 x.x.x.205:22 123.x.x.x:39906 ESTABLISHED
tcp 1 1 x.x.x.205:22 185.x.x.x:57601 LAST_ACK
tcp 0 96 x.x.x.205:22 79.x.x.x:10626 ESTABLISHED
tcp 0 84 x.x.x.203:22 185.x.x.x:40013 ESTABLISHED
tcp 0 96 x.x.x.203:22 180.x.x.x:2825 ESTABLISHED
tcp 0 84 x.x.x.203:22 210.x.x.x:55732 ESTABLISHED
tcp 0 84 x.x.x.205:22 197.x.x.x:50532 ESTABLISHED
tcp 0 84 x.x.x.203:22 218.x.x.x:33225 ESTABLISHED
tcp 0 84 x.x.x.203:22 78.x.x.x:38093 ESTABLISHED
tcp 0 84 x.x.x.205:22 58.x.x.x:1459 ESTABLISHED
tcp 0 96 x.x.x.205:22 46.x.x.x:53513 ESTABLISHED
tcp 0 84 x.x.x.205:22 212.x.x.x:51854 ESTABLISHED
tcp 0 84 x.x.x.205:22 59.x.x.x:44494 ESTABLISHED
tcp 0 84 x.x.x.203:22 58.x.x.x:16078 ESTABLISHED
tcp 0 96 x.x.x.205:22 210.x.x.x:9224 ESTABLISHED
tcp 0 96 x.x.x.205:22 140.x.x.x:3594 ESTABLISHED
tcp 0 84 x.x.x.203:22 119.x.x.x:51444 ESTABLISHED
tcp 0 84 x.x.x.203:22 197.x.x.x:38704 ESTABLISHED
tcp 0 96 x.x.x.205:22 109.x.x.x:50441 ESTABLISHED
tcp 0 96 x.x.x.203:22 156.x.x.x:55304 ESTABLISHED
tcp 0 96 x.x.x.203:22 77.x.x.x:49819 ESTABLISHED
tcp 0 96 x.x.x.203:22 118.x.x.x:2086 ESTABLISHED
tcp 0 96 x.x.x.203:22 203.x.x.x:45321 ESTABLISHED
tcp 0 84 x.x.x.205:22 202.x.x.x:60788 ESTABLISHED
tcp 0 96 x.x.x.205:22 81.x.x.x:30728 ESTABLISHED
tcp 0 36 x.x.x.205:22 70.x.x.x:51426 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN

---
snippet from `lsof -i :22` output>

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 119925 root 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)
sshd 119926 sshd 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)

---
example used to show mapping >

sshd 119925 root 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)

---
sshd process is running as root, along with many others >

[[email protected] ~]# ps -eo pid,uid,euid | grep 119925
119925 0 0

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look at the affected system?

Thank you.

 

[halcyon2600]

Sure NP. Thanks.

 

[halcyon2600]

I've submitted the ticket, please don't make any changes to the system. Please provide instructions to me and I will make the changes.

Thanks!