How do I find which software is doing an SSH connection?

I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.

After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.

Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]

I'm using pycharm/phpstorm, etc., and created a Git server on my server.

I've checked the settings for these two software packages and have no idea what is happening. I even changed my computer, but it made no difference.

Charles Bao

Posted 2019-06-15T14:09:35.657

Reputation: 501

Based on IP, check whether it's yours or not. Use WHOIS services to find from where they are. If these IP addresses are public, then it's probably someone else, trying to clone some Git repositories from your server. – kenorb – 2019-06-15T14:12:47.563

1@kenorb it's my private IP. Just 10-20 minutes after i started to work, the annoying things happend. How about delete git user? – Charles Bao – 2019-06-15T14:16:57.387

If you use an SSH key instead of a password, there is absolutely no point banning IPs after failed logins. You're just making life harder for yourself. – Navin – 2019-06-17T04:30:05.047

Answers

Actually, I found the answer.

It's a pycharm plugin called Git Integration.

After I disabled this plugin, the problem was solved.

Charles Bao

Posted 2019-06-15T14:09:35.657

Reputation: 501

3I actually thought it might be malicious, good that it's not :) – a25bedc5-3d09-41b8-82fb-ea6c353d75ae – 2019-06-16T05:22:09.437

3How did you discover that was the culprit? – BruceWayne – 2019-06-17T14:49:30.420

sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.

lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections

You would need to do this while your system is trying to log in.

Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.

Journeyman Geek

Posted 2019-06-15T14:09:35.657

Reputation: 119 122

1i tried, actually i can't catch the exact time of login event. – Charles Bao – 2019-06-15T14:36:08.670

I know you already solved your problem but I had another idea I just wanted to mention.

You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.

Didn't test this but should work like:

#!/bin/bash

echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"

Martin B.

Posted 2019-06-15T14:09:35.657

Reputation: 111

in my case, maybe git is the executable to do the ssh connection, – Charles Bao – 2019-06-17T09:10:57.437