[net] user connction to sshd : SOLVED

Sean Kirkby skirkby at concentrico.net
Wed Jul 20 12:12:24 MDT 2005

Thanks to all who made suggestions.  They were enlightening.
We figured out what we were seeing in our netstat report.  It looked
like this:

Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name
tcp        0      0    *              
LISTEN      11672/sshd
tcp        0      0         
ESTABLISHED 16698/sshd: [net]
Apparently, if you ssh with password auth, and let the prompt sit for a
number of seconds, this is what you see in the netstat report. 
Apparently the [net] element indicates that the auth attempt was
occuring via password (as opposed to PAM or key-based auth).
So, we actually DIDN'T have anyone connected... just someone trying.
FWIW.  Thanks again.

>>> skirkby at concentrico.net 07/09 10:53 PM >>>


We noticed yesterday that there were a number of connections to the
daemon running on a test box we had running outside our firewall
(running RH 8.0!).  The connections were from someplace in Florida,
someplace in Germany (we think).

The user name for the connections were "[net]" (sans quotes)... none
such exists in the shadow file.

Any ideas what this "[net]" user means?  As best we could tell, the
connections were benign (but unsettling)... we've since shut SSHD down
on that box, but I am still curious to know what that user ID is or

Any idears would be appreciated...



Sean Kirkby
Concentrico, Inc.
P: (801) 221-7606 x204
W: www.Concentrico.net 
GroupWise and Linux
     to the Nth Power
- Formativ Solutions
- World-Class Service
| This has been a P.L.U.G. mailing. |
|      Don't Fear the Penguin.      |
|  IRC: #utah at irc.freenode.net   |

More information about the PLUG mailing list