Home / server / Questions / 618832
Accepted
Dan Garthwaite
Asked: 2014-08-08 12:53:16 +0800 CST

How to get the port number a user ssh'd in on?

  • 772

I am transitioning servers away from port 22 in an existing multiuser environment. I have configured sshd to listen on two ports: 22 and the new port.

Now I would like to detect when a user connects or is connected to port 22. This is apparently harder than I anticipated.

I tried cranking up the logging in sshd_config but even DEBUG doesn't record the port number.

I am currently scanning netstat's output for TCP connections to port 22 but that lists a hell of a lot of false positives from random bot scanners. [the reason for the port move]

ssh

2 Answers

  1. Best Answer

    Using lsof -n -i TCP:22 -a -c sshd -a -u ^root,^sshd you can get a list of sshd processes and user names with their sockets on port 22. It is skipping those owned by root or sshd because they do not correspond to logged in users.

    A completely different approach would be to add some commands to /etc/ssh/sshrc, which will parse $SSH_CONNECTION and log it: logger -p auth.notice -t "sshd[$$]" "$SSH_CONNECTION"

    A third approach is to create a second instance of sshd for port 22 and configure it to log to a different facility.

    • 3

  2. Try something like this:

    sudo lsof -i -n -P | egrep sshd.*ESTABLISHED | egrep `who -a|grep pts|awk '{print $7}'|sed ':a;N;$!ba;s/\n/\\|/g'`

    To clarify, the objective of this command is to match the lsof hits (which show the port used) with the sessions from who with pts (extracting the PIDs from the output) in order to filter out the false positives.

    In other words, it shows the connections from the processes with the PIDs holding a pts ssh session.

    • 1