Does "ESTABLISHED" state in netstat command for the sshd program mean they actually have access?

Question

I have this person(or bot) from an IP in Chile which has an "ESTABLISHED" connection to SSHD as root on my server.

I'm trying to understand what netstat's outputs really mean, the manual doesn't really provide much details about them. Here's what I get:

root@linode [~]# netstat -tanpc|grep 200.29.174.125
tcp        0    840 45.33.71.204:22             200.29.174.125:40506        ESTABLISHED 12016/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:40792        ESTABLISHED 12020/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:41079        SYN_RECV    -
tcp        0      1 45.33.71.204:22             200.29.174.125:40792        FIN_WAIT1   -
tcp        0     84 45.33.71.204:22             200.29.174.125:41079        ESTABLISHED 12022/sshd
tcp        0     52 45.33.71.204:22             200.29.174.125:41353        ESTABLISHED 12024/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:41661        ESTABLISHED 12026/sshd
tcp        0    720 45.33.71.204:22             200.29.174.125:41959        ESTABLISHED 12028/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:42208        ESTABLISHED 12030/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:42509        ESTABLISHED 12032/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:42810        ESTABLISHED 12034/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:43094        SYN_RECV    -
tcp        0     84 45.33.71.204:22             200.29.174.125:43094        ESTABLISHED 12036/sshd
tcp        0     52 45.33.71.204:22             200.29.174.125:43362        ESTABLISHED 12038/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:43676        ESTABLISHED 12040/sshd
tcp        0    720 45.33.71.204:22             200.29.174.125:43936        ESTABLISHED 12042/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:44229        ESTABLISHED 12044/sshd
tcp        0    840 45.33.71.204:22             200.29.174.125:44566        ESTABLISHED 12047/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:44844        ESTABLISHED 12056/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:45079        SYN_RECV    -
tcp        0     84 45.33.71.204:22             200.29.174.125:45079        ESTABLISHED 12058/sshd

What I understand from the above output is that this person(or bot?) is changing ports every second and so a new PID for SSHD is created every time he(or it) "establishes" a connection. Am I right?

Next and more important thing I'd like to ask is does the "ESTABLISHED" state here mean that he(or it) actually has access to my server as the root user? Or if I'm right at my assumption above, does this mean he(or it) is scanning for ports in my server, still trying to get in?

Most systems log authentication events. Where depends on the distribution / OS like `/var/log/secure` for Redhat and derivatives (Centos, Oracle Linux etc) and `/var/log/auth.log` for Debian and derivatives (Ubuntu etc). — Brian, May 08 '15 at 20:34

score 8 · Accepted Answer · answered May 08 '15 at 20:10

8

Established only means that the connection is fully open and data can be transmitted. It doesn't necessarily mean that any data has been transmitted! It doesn't imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully.

answered May 08 '15 at 20:10

Michael Hampton

237,123
42
477
940

Thanks for clarifying that about the "established" state. That's what I'm actually worried about. I have set this server to send me an email every time a successful root login happens (I am using WHM/cPanel on this server). And it works when I login as root, I get an email. I'm not sure if it might be possible for root logins/successful authentication to happen without triggering the email notification I have set. Please excuse me, I'm relatively new to managing servers. Where do I find those system logs that you're talking about? I have CentOS 6.6 on this server, again with WHM/cPanel. – Nim May 08 '15 at 20:19
All the system logs are in `/var/log`. I don't know what cPanel does; it is [not a supportable topic here](http://meta.serverfault.com/q/8094/126632). You probably want to familiarize yourself with the [system documentation](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/). – Michael Hampton May 08 '15 at 20:23

score -1 · Answer 2 · answered Jun 05 '19 at 21:04

-1

Established means that the user on the other end has an open connection and so things like "shutdown -I" should work except if obviously you cannot do that anyway. I only worry about the outputs labelled Established unless the other ones are needed.

answered Jun 05 '19 at 21:04

user526596

1

Does "ESTABLISHED" state in netstat command for the sshd program mean they actually have access?

2 Answers2

Linked