问题
I was wondering, if the output of
lsof -i
sshd 21880 root 3r IPv4 4843515 TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd 21882 mike 3u IPv4 4843515 TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd 23853 root 3u IPv6 960417 TCP *:ssh (LISTEN)
sshd 23853 root 4u IPv4 960419 TCP *:ssh (LISTEN)
sshd 24043 root 3r IPv4 4871654 TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)
sshd 24044 sshd 3u IPv4 4871654 TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)
Does that imply that somebody has logged in on the system and is currently doing something? or means it's just trying to log in? I'm not quite sure about it.
Any clues? Thanks
回答1:
According to this
lsof -i only shows you active tcp connections. So it doesn't tell you if there logged in or still attempting to authenticate.
if you want to check to see who's logged in and from where you can run the "who" command. which will give you a list of the users logged in and where there logged in from (e.g. ssh, tty, etc)
回答2:
The 'ESTABLISHED' means the TCP connection is established, ie the handshake has been performed on TCP/IP level. This is needed before the ssh process sees any data at all. Theoretically, the connection could be quite long in ESTABLISHED mode without sending any data depending on the timeouts set (on TCP level and/or sshd config). Expect login to occur after it.
To look into it more, use 'iptraf' for monitoring the amount of traffic, or see /var/log/auth.log (at least, on a Debian system) for seeing who succesfully logged on.
来源:https://stackoverflow.com/questions/988424/lsof-connection-established