Hi Friends,
On one of my server which having direct connection to internet without firewall ..am seeing a established connection with SSH .. am not getting how ..there no login but I can see this established connection .
## have hidden original IPs with below notations for security concerns .
My-IP: A.B.C.Z
Unknown-IP: W.X.Y.Z
# netstat -antpu | grep -i W.X.
tcp 0 1 A.B.C.Z:38726 W.X.Y.Z:6667 ESTABLISHED 8997/sshd
After that have restricted the access by below Blindly ..
# vi /etc/hosts.deny
sshd,sshdfwd-X11:ALL
*:W.X.Y.Z
# vi /etc/hosts.allow
sshd,sshdfwd-X11: A.B.C.
## Set below iptables
# iptables -A INPUT -s W.X.Y.Z -j DROP
# iptables -A OUTPUT -d W.X.Y.Z -j DROP
# service iptables save
# Now I can see below connection that with W.X.Y.Z
# netstat -antpu | grep -i W.X
tcp 0 1 A.B.C.Z:25631 W.X.Y.Z:6667 SYN_SENT 8997/sshd
Many time have killed this connection by killing above PID and after 1-2 minutes it again established connection over port: 666* that is below in my services files
ircu-3 6667/tcp ircd # IRCU
ircu-3 6667/udp ircd # IRCU
As per my understanding some of my system process is trying to sent packet to this W.X.Y.Z ip and waiting for ack response that is this SYN_SENT .
Please help me to find the root cause, how I can find which process/sw is trying to establish connection to this IP (W.X.Y.Z) and how I can block it fully ..
--Shirish Shukla