# connexion SSHD with user sshd ? Help please



## davkiller (Aug 21, 2012)

Hello,

My English is bad, I am very sorry. I hope fear for nothing. Is it possible connecte ssh with user sshd ?

My configuration 
	
	



```
sshd_conf
PermitRootLogin no 
allowusers myuser (only)
allowgroups wheel (only)
```


```
[root@*** /# sockstat 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
sshd     sshd       42639 3  tcp4   88.191.***.***:22     201.116.36.180:43344
sshd     sshd       42639 4  stream -> ??
root     sshd       42638 3  tcp4   88.191.***.***:22     201.116.36.180:43344
root     sshd       42638 6  stream -> ??
root     sshd       41836 3  tcp6   *:22                  *:*
root     sshd       41836 4  tcp4   *:22                  *:*
ddr****  sshd       41757 3  tcp4   88.191.***.***:22     MY IP:50175
ddr****  sshd       41757 4  stream -> ??
root     sshd       41753 3  tcp4   88.191.***.***:22     MY IP:50175
root     sshd       41753 5  stream -> ??
```

Thank you for your help.

David


----------



## anomie (Aug 21, 2012)

May be OK. You have removed potentially relevant information from your command output, and it's hard to know what is going on without it. For starters, you may wish to use: 
`# sockstat -4c`
Less noise in that output. 

As for the connected IP: 

```
~> dig -x 201.116.36.180

;; ANSWER SECTION:
180.36.116.201.in-addr.arpa. 89786 IN	PTR	static.customer-201-116-36-180.uninet-ide.com.mx.
```

Is that unexpected? If so, you may wish to look at output from: 
`# fstat -p 42639`


----------



## davkiller (Aug 21, 2012)

Thank you very much.

here it is me. But 201.116.36.180 it is unknow!

```
[root@guf /]# sockstat -4c
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
ddr      sshd       41757 3  tcp4   88.191.227.100:22     82.232.73.201:50175
root     sshd       41753 3  tcp4   88.191.227.100:22     82.232.73.201:50175
ddr      sshd       24601 3  tcp4   88.191.227.100:22     82.232.73.201:46115
root     sshd       24598 3  tcp4   88.191.227.100:22     82.232.73.201:46115
ddr      sshd       71127 3  tcp4   88.191.227.100:22     88.172.161.114:59213
root     sshd       71123 3  tcp4   88.191.227.100:22     88.172.161.114:59213
ddr      sshd       65655 3  tcp4   88.191.227.100:22     88.172.161.114:54000
root     sshd       65607 3  tcp4   88.191.227.100:22     88.172.161.114:54000
```


```
[root@** /]# fstat -p 43877
USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W
sshd     sshd       43877 root /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877   wd /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877 jail /var     3532800 dr-xr-xr-x     512  r
sshd     sshd       43877 text /usr     5958662 -r-xr-xr-x  194032  r
sshd     sshd       43877    0 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    1 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    2 /dev         28 crw-rw-rw-    null rw
sshd     sshd       43877    3* internet stream tcp c85dfae0
sshd     sshd       43877    4* local stream c4352348 <-> c43517e0
sshd     sshd       43877    5* pipe c41fa874 <-> c41fa7bc      0 rw
```

My question is : is it dangerous for my server ?


----------



## anomie (Aug 21, 2012)

Have you made any changes to sshd_config(5)? Specifically, are you using *ChrootDirectory*? 

Check /var/log/auth.log to see if a user named "sshd" has actually authenticated. (Not likely. It is a system / service account.) 

Search for the offending IP in that log file. He may just be launching a dictionary attack against your server. Remember, you are only seeing established TCP connections with the sockstat(1) output. You are not looking at authenticated sessions. Assuming he has not logged in, and that you're using and enforcing strong passwords, and that you keep your FreeBSD system up to date, I would not worry about it too much.


----------



## davkiller (Aug 21, 2012)

Thank you very much.
I am reassured!
actually, I have not succeeded in connecting the log
long as it lasts.


----------

