[net] user connction to sshd : SOLVED
skirkby at concentrico.net
Wed Jul 20 12:12:24 MDT 2005
Thanks to all who made suggestions. They were enlightening.
We figured out what we were seeing in our netstat report. It looked
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:*
tcp 0 0 10.0.0.75:22 220.127.116.11:3947
ESTABLISHED 16698/sshd: [net]
Apparently, if you ssh with password auth, and let the prompt sit for a
number of seconds, this is what you see in the netstat report.
Apparently the [net] element indicates that the auth attempt was
occuring via password (as opposed to PAM or key-based auth).
So, we actually DIDN'T have anyone connected... just someone trying.
FWIW. Thanks again.
>>> skirkby at concentrico.net 07/09 10:53 PM >>>
We noticed yesterday that there were a number of connections to the
daemon running on a test box we had running outside our firewall
(running RH 8.0!). The connections were from someplace in Florida,
someplace in Germany (we think).
The user name for the connections were "[net]" (sans quotes)... none
such exists in the shadow file.
Any ideas what this "[net]" user means? As best we could tell, the
connections were benign (but unsettling)... we've since shut SSHD down
on that box, but I am still curious to know what that user ID is or
Any idears would be appreciated...
P: (801) 221-7606 x204
GroupWise and Linux
to the Nth Power
- Formativ Solutions
- World-Class Service
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
More information about the PLUG