Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unidentified SSH connections / unable to restrict or block

Discussion in 'Security' started by halcyon2600, Sep 20, 2017.

  1. halcyon2600

    halcyon2600 Member

    Joined:
    Jan 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Raleigh, NC
    I've tried everything I can think of, so here we go... maybe someone else has ran across this and hasn't documented.

    This server has an excessive amount of established `sshd` connections that we haven't been able to identify.

    System details:
    ESXi 6.5 hosted VM
    CentOS Linux release 7.4.1708 (Core)
    WHM v66.0.23
    Typical hosting setup with many Softaculous installs

    Example of some things I've done so far:
    [Removed Due to use of real domain names and IP addresses]
     
    #1 halcyon2600, Sep 20, 2017
    Last edited by a moderator: Sep 20, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you provide an example of the processes or connections that you see, ensuring not to use real domain names or IP addresses?

    Thank you.
     
  3. halcyon2600

    halcyon2600 Member

    Joined:
    Jan 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Raleigh, NC
    Wow, ok apparently the forum bot (or admins) stripped out all of what I'd already provided so far.. including the part that didn't have domains and IP addresses..... thanks. I'll scrub the output (including confirmed black listed IPs) , and try to repost.
     
  4. halcyon2600

    halcyon2600 Member

    Joined:
    Jan 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Raleigh, NC
    I have replaced all IPs with x.x.x or just x-x-x and my servers and domains with <myserver> & <mydomain>. The who command shows only my session. Below you will see only a snippet of the sessions, I can provide full output if needed. There are between 20-52 sessions at any given time mapped to uid 0(root) and one other account WHM/Cpanel user account, most mapped to uid 0.

    [root@myserver ~]# who -la
    system boot 2017-09-14 03:27
    LOGIN tty1 2017-09-20 00:29 69704 id=tty1
    run-level 3 2017-09-14 03:31
    root + pts/0 2017-09-21 10:43 . 95134 (my.ip.aaddress)
    pts/1 2017-09-20 20:45 22534 id=ts/1 term=0 exit=0

    ---
    ps aux | grep sshd

    root 119925 0.0 0.0 146576 4764 ? Ss 01:08 0:00 sshd: unknown [priv]
    sshd 119926 0.0 0.0 104908 2404 ? S 01:08 0:00 sshd: unknown [net]

    ---
    netstat -na | grep :22
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 84 x.x.x.203:22 82.x.x.x:47236 ESTABLISHED
    tcp 0 84 x.x.x.205:22 123.x.x.x:39906 ESTABLISHED
    tcp 1 1 x.x.x.205:22 185.x.x.x:57601 LAST_ACK
    tcp 0 96 x.x.x.205:22 79.x.x.x:10626 ESTABLISHED
    tcp 0 84 x.x.x.203:22 185.x.x.x:40013 ESTABLISHED
    tcp 0 96 x.x.x.203:22 180.x.x.x:2825 ESTABLISHED
    tcp 0 84 x.x.x.203:22 210.x.x.x:55732 ESTABLISHED
    tcp 0 84 x.x.x.205:22 197.x.x.x:50532 ESTABLISHED
    tcp 0 84 x.x.x.203:22 218.x.x.x:33225 ESTABLISHED
    tcp 0 84 x.x.x.203:22 78.x.x.x:38093 ESTABLISHED
    tcp 0 84 x.x.x.205:22 58.x.x.x:1459 ESTABLISHED
    tcp 0 96 x.x.x.205:22 46.x.x.x:53513 ESTABLISHED
    tcp 0 84 x.x.x.205:22 212.x.x.x:51854 ESTABLISHED
    tcp 0 84 x.x.x.205:22 59.x.x.x:44494 ESTABLISHED
    tcp 0 84 x.x.x.203:22 58.x.x.x:16078 ESTABLISHED
    tcp 0 96 x.x.x.205:22 210.x.x.x:9224 ESTABLISHED
    tcp 0 96 x.x.x.205:22 140.x.x.x:3594 ESTABLISHED
    tcp 0 84 x.x.x.203:22 119.x.x.x:51444 ESTABLISHED
    tcp 0 84 x.x.x.203:22 197.x.x.x:38704 ESTABLISHED
    tcp 0 96 x.x.x.205:22 109.x.x.x:50441 ESTABLISHED
    tcp 0 96 x.x.x.203:22 156.x.x.x:55304 ESTABLISHED
    tcp 0 96 x.x.x.203:22 77.x.x.x:49819 ESTABLISHED
    tcp 0 96 x.x.x.203:22 118.x.x.x:2086 ESTABLISHED
    tcp 0 96 x.x.x.203:22 203.x.x.x:45321 ESTABLISHED
    tcp 0 84 x.x.x.205:22 202.x.x.x:60788 ESTABLISHED
    tcp 0 96 x.x.x.205:22 81.x.x.x:30728 ESTABLISHED
    tcp 0 36 x.x.x.205:22 70.x.x.x:51426 ESTABLISHED
    tcp6 0 0 :::22 :::* LISTEN

    ---
    snippet from `lsof -i :22` output>

    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    sshd 119925 root 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)
    sshd 119926 sshd 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)

    ---
    example used to show mapping >

    sshd 119925 root 3u IPv4 15311909 0t0 TCP myserver.mydomain:ssh->54.subnet180-x-x.x.x.net.id:2825 (ESTABLISHED)

    ---
    sshd process is running as root, along with many others >

    [root@myserver ~]# ps -eo pid,uid,euid | grep 119925
    119925 0 0
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look at the affected system?

    Thank you.
     
  6. halcyon2600

    halcyon2600 Member

    Joined:
    Jan 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Raleigh, NC
    Sure NP. Thanks.
     
  7. halcyon2600

    halcyon2600 Member

    Joined:
    Jan 22, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Raleigh, NC
    I've submitted the ticket, please don't make any changes to the system. Please provide instructions to me and I will make the changes.

    Thanks!
     
Loading...

Share This Page