Strange Processes Running

jodasi

Verified User
Joined
Mar 15, 2005
Messages
62
Hi there

Has anyone seen processes like this?

sshd 12536 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]
sshd 12613 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]
sshd 12636 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]
sshd 12647 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]
sshd 12672 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]
sshd 12673 0.0 0.3 5364 1472 ? S 00:10 0:00 sshd: unknown [net]

Should this be normal?

Thanks
Jodasi
 
I have been seeing these too. Looks like an attempted intrusion like someone trying to hang the machine with several attempts at establishing an SSH terminal. Didn't concern me at first but when I see things like this it is starting to get my attention.

sshd: unknown [priv] (sshd)

Anybody else seeing anything like this?

Big Wil
 
Ok. These are starting to become an issue. Looks like these are attempted DoS attacks from various remote locations around the globe. A couple of days I have seen as many as 300 processes opened. Is there a way to completely block this [net] process and only allow priveledged users?

Big Wil
 
Not aware of a way to block just [net] at the firewall. I can block port 22 but don't want that. Is net a user? Group? Priviledge level?

Big Wil
 
BigWil said:
Not aware of a way to block just [net] at the firewall. I can block port 22 but don't want that. Is net a user? Group? Priviledge level?

Big Wil

Actually, you want to block port 22.
Just run SSH on another port.
 
Ok now don't even ask me why I didn't think of that. Very good idea. Any suggestions for a port number? Something up in the 5000s maybe?

Big Wil
 
BigWil said:
Ok now don't even ask me why I didn't think of that. Very good idea. Any suggestions for a port number? Something up in the 5000s maybe?

Big Wil

If you are going with moving port numbers... I would suggest moving up to > 30000 and < 65535

Something in that region will ensure it's not in one of the assigned port numbers.

I use DenyHosts and keep it on Port 22 for simplicity. :cool:
 
Back
Top