On 28.07.25 23:36, Zakaria wrote:
... drove me to analyse every corner in linux system ...... sometimes hours later like today and other days later, and in random times, I get notification of new ssh session was started, and when I login to server to inspect, I find no login session and no hinting traces in netstat, top, secure and messages log, utmp dump etc. I noticed all of session with specific PIDs which is getting reported as was active for very short period of time, are identical to previous sessions I started and have already terminated.After observing the server for months, I noticed I get report of new session report whenever I run sudo -i who -a command ...
This is from a rather busy (for our standards), Linux-based SFTP server where I looked up the "history" of the sshd PID involved in my own login:
# grep ' sshd\[26671\]: .* session ' /var/log/secure | sed -e 's/:.. .*://' -e 's/\( user [^b]\).*/\1.../' Jul 27 21:05 session opened for user t... Jul 27 21:05 session closed for user t... Jul 28 07:39 session opened for user C... Jul 28 07:39 session closed for user C... Jul 28 14:40 session opened for user C... Jul 28 14:40 session closed for user C... Jul 29 00:25 session opened for user l... Jul 29 00:25 session closed for user l... Jul 29 03:38 session opened for user C... Jul 29 03:38 session closed for user C... Jul 29 05:33 session opened for user n... Jul 29 05:33 session closed for user n... Jul 29 11:58 session opened for user bern by (uid=0)
As you can see, PIDs getting reused for different sessions is a perfectly normal thing. The *frequency* at which it happens depends on use (is your server's SSH port open to the entire Internet? If yes, you're bound to be hit with scans 24/7) and other factors (our SFTP(!) server still uses 32 bit PIDs), of course.
Having that said, if you see an *SSH session* being reported when running the "sudo -i who -a" command (*without* SSHing into the server anew for every time you run it), something's amiss. It'll certainly create "sessions" of some kind, so there's room for a misinterpretation, depending on what inputs your detector uses, but it shouldn't involve sshd, neither for itself nor as in "resurrecting" already-terminated SSH sessions.
Since you mention that the server in question is being hosted, would it be possible to run the detector and an artificial SSH-logins load on a local machine to see whether the symptom appears there as well?
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
