How do I find which software is doing an SSH connection?Ubuntu SSH issueHow do I clear out the ssh-agent entries (on Mac OS X )?Potential SSH security problem?weird SSH connection timed outSFTP Connection to Windows 2008 Server Running RemotelyAnywhereCannot access srx220 router from browserHow to authenticate with git?Passwordless ssh2 not working, to many authentication failuresfail2ban has maxretry of 3 but I see authentication failures repeated 5 timesPermission denied, please try again - when trying to ssh to a machine
Require advice on power conservation for backpacking trip
Using “sparkling” as a diminutive of “spark” in a poem
Why doesn't a marching band have strings?
Go Get the Six Six-Pack
Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration?
What happens when your group is victim of a surprise attack but you can't be surprised?
How can I get more energy without spending coins?
How can I repair scratches on a painted French door?
Why do some games show lights shine through walls?
Alphabet completion rate
Is adding a new player (or players) a DM decision, or a group decision?
What are the benefits of using the X Card safety tool in comparison to plain communication?
Does the posterior necessarily follow the same conditional dependence structure as the prior?
Story-based adventure with functions and relationships
What kind of wire should I use to pigtail an outlet?
Why is C++ initial allocation so much larger than C's?
Dimensions of list used in test
Why is the Turkish president's surname spelt in Russian as Эрдоган, with г?
Cascading Repair Costs following Blown Head Gasket on a 2004 Subaru Outback
Should I tell my insurance company I'm making payments on my new car?
MH370 blackbox - is it still possible to retrieve data from it?
Did Karl Marx ever use any example that involved cotton and dollars to illustrate the way capital and surplus value were generated?
Peace Arch without exiting USA
Change CPU MHz from Registry
How do I find which software is doing an SSH connection?
Ubuntu SSH issueHow do I clear out the ssh-agent entries (on Mac OS X )?Potential SSH security problem?weird SSH connection timed outSFTP Connection to Windows 2008 Server Running RemotelyAnywhereCannot access srx220 router from browserHow to authenticate with git?Passwordless ssh2 not working, to many authentication failuresfail2ban has maxretry of 3 but I see authentication failures repeated 5 timesPermission denied, please try again - when trying to ssh to a machine
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.
After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.
Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]
I'm using pycharm/phpstorm, etc., and created a Git server on my server.
I've checked the settings for these two software packages and have no idea what is happening.
I even changed my computer, but it made no difference.
ssh git login pycharm
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.
After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.
Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]
I'm using pycharm/phpstorm, etc., and created a Git server on my server.
I've checked the settings for these two software packages and have no idea what is happening.
I even changed my computer, but it made no difference.
ssh git login pycharm
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
1
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30
add a comment |
I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.
After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.
Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]
I'm using pycharm/phpstorm, etc., and created a Git server on my server.
I've checked the settings for these two software packages and have no idea what is happening.
I even changed my computer, but it made no difference.
ssh git login pycharm
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.
After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.
Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]
I'm using pycharm/phpstorm, etc., and created a Git server on my server.
I've checked the settings for these two software packages and have no idea what is happening.
I even changed my computer, but it made no difference.
ssh git login pycharm
ssh git login pycharm
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
edited Jun 16 at 12:16
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
8,44116 gold badges61 silver badges85 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
asked Jun 15 at 14:09
Charles BaoCharles Bao
3817 bronze badges
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
1
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30
add a comment |
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
1
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
1
1
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30
add a comment |
3 Answers
3
active
oldest
votes
Actually, I found the answer.
It's a pycharm plugin called Git Integration.
After I disabled this plugin, the problem was solved.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
add a comment |
sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.
lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections
You would need to do this while your system is trying to log in.
Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
add a comment |
I know you already solved your problem but I had another idea I just wanted to mention.
You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.
Didn't test this but should work like:
#!/bin/bash
echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "3"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Charles Bao is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1449116%2fhow-do-i-find-which-software-is-doing-an-ssh-connection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Actually, I found the answer.
It's a pycharm plugin called Git Integration.
After I disabled this plugin, the problem was solved.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
add a comment |
Actually, I found the answer.
It's a pycharm plugin called Git Integration.
After I disabled this plugin, the problem was solved.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
add a comment |
Actually, I found the answer.
It's a pycharm plugin called Git Integration.
After I disabled this plugin, the problem was solved.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Actually, I found the answer.
It's a pycharm plugin called Git Integration.
After I disabled this plugin, the problem was solved.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
edited Jun 16 at 12:17
Peter Mortensen
8,44116 gold badges61 silver badges85 bronze badges
8,44116 gold badges61 silver badges85 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
answered Jun 15 at 15:22
Charles BaoCharles Bao
3817 bronze badges
3817 bronze badges
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Charles Bao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
add a comment |
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
3
3
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
I actually thought it might be malicious, good that it's not :)
– Arjun Vikram
Jun 16 at 5:22
3
3
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
How did you discover that was the culprit?
– BruceWayne
Jun 17 at 14:49
add a comment |
sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.
lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections
You would need to do this while your system is trying to log in.
Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
add a comment |
sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.
lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections
You would need to do this while your system is trying to log in.
Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
add a comment |
sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.
lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections
You would need to do this while your system is trying to log in.
Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.
lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections
You would need to do this while your system is trying to log in.
Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
answered Jun 15 at 14:27
Journeyman Geek♦Journeyman Geek
114k44 gold badges223 silver badges378 bronze badges
114k44 gold badges223 silver badges378 bronze badges
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
add a comment |
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
1
1
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
i tried, actually i can't catch the exact time of login event.
– Charles Bao
Jun 15 at 14:36
add a comment |
I know you already solved your problem but I had another idea I just wanted to mention.
You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.
Didn't test this but should work like:
#!/bin/bash
echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
add a comment |
I know you already solved your problem but I had another idea I just wanted to mention.
You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.
Didn't test this but should work like:
#!/bin/bash
echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
add a comment |
I know you already solved your problem but I had another idea I just wanted to mention.
You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.
Didn't test this but should work like:
#!/bin/bash
echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I know you already solved your problem but I had another idea I just wanted to mention.
You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.
Didn't test this but should work like:
#!/bin/bash
echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
answered Jun 17 at 7:38
Martin B.Martin B.
1113 bronze badges
1113 bronze badges
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Martin B. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
add a comment |
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
in my case, maybe git is the executable to do the ssh connection,
– Charles Bao
Jun 17 at 9:10
add a comment |
Charles Bao is a new contributor. Be nice, and check out our Code of Conduct.
Charles Bao is a new contributor. Be nice, and check out our Code of Conduct.
Charles Bao is a new contributor. Be nice, and check out our Code of Conduct.
Charles Bao is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1449116%2fhow-do-i-find-which-software-is-doing-an-ssh-connection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server.
– kenorb
Jun 15 at 14:12
1
@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user?
– Charles Bao
Jun 15 at 14:16
If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself.
– Navin
Jun 17 at 4:30