[net] user connction to sshd : SOLVED

Sean Kirkby skirkby at concentrico.net
Wed Jul 20 12:12:24 MDT 2005


Thanks to all who made suggestions.  They were enlightening.
 
We figured out what we were seeing in our netstat report.  It looked
like this:
 

Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*              
LISTEN      11672/sshd
tcp        0      0 10.0.0.75:22            220.80.60.6:3947       
ESTABLISHED 16698/sshd: [net]
...
 
Apparently, if you ssh with password auth, and let the prompt sit for a
number of seconds, this is what you see in the netstat report. 
Apparently the [net] element indicates that the auth attempt was
occuring via password (as opposed to PAM or key-based auth).
 
So, we actually DIDN'T have anyone connected... just someone trying.
 
FWIW.  Thanks again.
 
--sk.

>>> skirkby at concentrico.net 07/09 10:53 PM >>>

Howdy,

We noticed yesterday that there were a number of connections to the
SSH
daemon running on a test box we had running outside our firewall
(running RH 8.0!).  The connections were from someplace in Florida,
and
someplace in Germany (we think).

The user name for the connections were "[net]" (sans quotes)... none
such exists in the shadow file.

Any ideas what this "[net]" user means?  As best we could tell, the
connections were benign (but unsettling)... we've since shut SSHD down
on that box, but I am still curious to know what that user ID is or
means.

Any idears would be appreciated...

Thanks.

--sk.

========================
Sean Kirkby
Concentrico, Inc.
P: (801) 221-7606 x204
W: www.Concentrico.net 
-=-=-=-=-=-=-=-=-=-=-=-=
GroupWise and Linux
     to the Nth Power
- Formativ Solutions
- World-Class Service
========================
.===================================.
| This has been a P.L.U.G. mailing. |
|      Don't Fear the Penguin.      |
|  IRC: #utah at irc.freenode.net   |
`==================================='




More information about the PLUG mailing list