extra sshd root instance

Question

I have logged in to my server running Centos 7 via ssh and executed the following command:

[me@server ~]$ ps -ef --forest | grep ssh

root     476     1  0 Dec02 ?       00:00:00 /usr/sbin/sshd -D
root   12366   476  0 23:26 ?       00:00:00  \_ sshd: me[priv]
me     12368 12366  0 23:27 ?       00:00:00  |   \_ sshd: me@pts/0
me     12405 12369  0 23:27 pts/0   00:00:00  |           \_ grep --color=auto ssh
root   12401   476  0 23:27 ?       00:00:00  \_ sshd: root [priv]
sshd   12402 12401  0 23:27 ?       00:00:00      \_ sshd: root [net]
me     12399     1  0 23:27 ?       00:00:00 ssh-agent

What is the second child process sshd (PID = 12401) owned by root? Could it be some malicious connection?

(After disabling the root access via ssh this process doesn't appear.)

Is it possible someone was `ssh`ed on as root while you were doing that `ps`? — MadHatter, Dec 04 '15 at 08:34
I don't think so - at least the 'w' command would output me only. — Skeeve, Dec 04 '15 at 08:46
It also confuses me that the time of root ssh is exactly the time of my ssh - 23:27 vs 23:26... — Skeeve, Dec 04 '15 at 08:47

score 6 · Accepted Answer · answered Dec 04 '15 at 13:41

6

In this example you see this pair of processes:

root   12401   476  0 23:27 ?       00:00:00  \_ sshd: root [priv]
sshd   12402 12401  0 23:27 ?       00:00:00      \_ sshd: root [net]

which is quite different from your pair:

root   12366   476  0 23:26 ?       00:00:00  \_ sshd: me[priv]
me     12368 12366  0 23:27 ?       00:00:00  |   \_ sshd: me@pts/0

The sshd: root [priv] is privileged process of daemon waiting for sshd: root [net] child to authenticate. This means that at the time you did ps, there was some authentication attempt in progress, where root user was attempting to logging in.

This is not rare on public IPs and with sshd services running on standard port. You can get hundreds of such attempts every day, but if you have strong password, it is not dangerous.

answered Dec 04 '15 at 13:41

Jakuje

9,715
2
42
45

Thanks for clarification and sorry for accepting your answer late. I have strong password for root, but in the end I decided to disable root login via ssh in /etc/ssh/sshd_config, and now the privileged process is no longer there (as expected). – Skeeve Jan 12 '16 at 20:48
1

yes. That is wise to disable root login. Though it does not mean that you will never see such `ps` output. Root is prompted for a password, but the password is never accepted (one of security principles). – Jakuje Jan 12 '16 at 20:53
1

SSH interfaces that are open to the entire Internet are quite problematic. SSH should only be accessible to a limited set of IP addresses. Require coming from a VPN w/ 2FA, tunneled SSH via a specific host that is properly firewalled, and/or use a web knocker to dramatically limit the attack surface of the system. If the potential attacker can't even send packets to the system on sensitive ports in the first place, then that stops all sorts of shenanigans from happening. Disabling password logins and requiring a SSH key is a good idea too. – CubicleSoft Feb 12 '22 at 14:22
@CubicleSoft I have quite good faith in the openssh code based on what code I read through and debugged and based on the CVE track for recent years. Indeed, you need to keep up to date and indeed the stuff what you suggest never hurts, but it can lock you out of the system very easily if something is misconfigured (VPN), if your provider decides to change your public IP (or if you need to access the system from somewhere else (IP whitelist, 2fa). If attacker can break into the system by sending packets, the software is broken anyway. – Jakuje Feb 13 '22 at 21:33
I have a policy of not opening ports to the Internet unless absolutely necessary. It's a good policy. When SSH is open to the world, I've seen IP addresses from Russia, North Korea, China, and plenty of other obviously bad actors making connections to SSH. You think they do that out of the kindness and goodness of their hearts? No. They do not. – CubicleSoft Feb 14 '22 at 01:15
@CubicleSoft Indeed, if you have different network and different infra in place (VPN), you are mostly moving the security responsibility to other place. I consider the SSH one as the necessary one (given its simplicity and secure configuration). Not allowing password root login will not allow anyone of these scans from abroad to get through. If you set complex-enough password, you still have quite a good chance noone will get through, unless you would be explicitly targeted and they would have years to get through your password. With proper monitoring, you would have noticed this before that. – Jakuje Feb 15 '22 at 07:19
Well, I've seen plenty of networks breached using public SSH. And they weren't targeting root. Attacks these days are highly sophisticated. Closing SSH to the world is the only viable option as part of a defense in depth strategy - assume everyone will attack, including insiders. – CubicleSoft Feb 15 '22 at 13:47

extra sshd root instance

1 Answers1