Looks normal,
how about:
cat /etc/ssh/sshd_config | paste-log
cat /etc/systemd/system/sshd.service | paste-log
post ls -lah /etc/ssh/
also please use the preformatted text button (</>
) when posting
Could you run the command w
for us please (just one letter).
@Sukre can not post anymore as he just joined today and has reached the forum limit.
All looks ok
sshd_config https://paste.osmc.tv/bileduweco
sshd.service https://paste.osmc.tv/qosakokeye
and ls -lah
drwxr-xr-x 2 root root 4.0K Jun 10 12:44 . drwxr-xr-x 73 root root 4.0K Jun 10 10:47 .. -rw-r--r-- 1 root root 237K Jul 22 2016 moduli -rw-r--r-- 1 root root 1.6K Jul 22 2016 ssh_config -r-------- 1 root root 668 Mar 20 11:39 ssh_host_dsa_key -r-------- 1 root root 599 Mar 20 11:39 ssh_host_dsa_key.pub -r-------- 1 root root 227 Mar 20 11:38 ssh_host_ecdsa_key -r-------- 1 root root 171 Mar 20 11:38 ssh_host_ecdsa_key.pub -r-------- 1 root root 399 Mar 20 11:38 ssh_host_ed25519_key -r-------- 1 root root 91 Mar 20 11:38 ssh_host_ed25519_key.pub -r-------- 1 root root 963 Jul 22 2016 ssh_host_key -r-------- 1 root root 627 Jul 22 2016 ssh_host_key.pub -r-------- 1 root root 1.7K Mar 20 11:39 ssh_host_rsa_key -r-------- 1 root root 391 Mar 20 11:39 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 2.9K Jun 10 13:10 sshd_config -rw-r--r-- 1 root root 2.9K Jun 10 10:38 sshd_config.save -rw-r--r-- 1 root root 2.9K Jun 10 12:44 sshd_config.save.1 -rw-r--r-- 1 root root 2.9K Jun 10 12:44 sshd_config.save.2 -rw-r--r-- 1 root root 2.9K Jun 10 12:44 sshd_config.save.3
This looks āoddā for a Pi:
CGroup: /system.slice/ssh.service
|-4475 sshd: osmc [priv]
|-4477 sshd: osmc@notty
|-4478 /usr/lib/openssh/sftp-server
|-4734 /usr/sbin/sshd -D
|-5192 sshd: osmc [priv]
|-5194 sshd: osmc@pts/0
|-5195 -bash
|-5219 sshd: root [priv]
|-5220 sshd: root [net]
|-5225 sshd: [accepted]
|-5226 sshd: [accepted]
|-5227 sshd: [net]
|-5228 sshd: [net]
|-5229 sshd: [accepted]
|-5230 sshd: [accepted]
|-5231 sshd: [net]
|-5232 sshd: [net]
|-5233 sshd: [accepted]
|-5234 sshd: [net]
and
Jun 10 12:51:03 Pi sshd[4789]: Received disconnect from 116.31.116.44: 11: [preauth]
Jun 10 12:51:09 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
Jun 10 12:51:09 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
Jun 10 12:51:10 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
and
Jun 10 13:05:49 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Jun 10 13:05:50 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Jun 10 13:05:50 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Probably port 22 is being forwarded, etc, etc.
Hello im Sukre, i reached the limit of the topic for new accounts to and cannot send mensagges either, that why i created this account, hope u guys are ok whit this
https://discourse.osmc.tv/t/ssh-update/37404/2
Here it is
osmc@Pi:~$ cat /etc/systemd/system/sshd.service
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
Alias=sshd.service
Right, overlooked that. Thought he just mistyped
@Sukre it looks like you are portforwarding ssh from the internet to your OSMC. That is quite dangerous with out proper hardening SSH access. There might be even the chance that you already have been hacked and that is part of the reason of the strange behaviour.
As there are also additional services (PIDās) started with your sshd
Maybe crosscheck your sshd with md5sum /usr/sbin/sshd
the sum should be 67f7b73c4787e1b783c5dd3d9e27b1e3
Yeah i port forward whit the 22 port, but the default password is change d since day 1, also i just tried disabling port forwarding and changing the port and i get the exact same result
Mine is different and starts whit fd8
Thatās not good at all
Please run the w
command. Weāll have a better idea of what/who is on the box.
How? Even if i use the default port i use a complex password since day 1, also could be something else besideās have been hacked ?
14:19:31 up 3:47, 1 user, load average: 0.60, 0.63, 0.67
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
osmc pts/0 192.168.0.13 14:19 2.00s 0.06s 0.03s w
That ip is me from my ipad
Only other explanation is you got the ssh server from a different repository. Try to remove all non standard repositories from sources.list and reinstall ssh server.
But with all that additional PIDās started the hacked chance is quite likely
This could be because the app i use terminus for ios, i force close the app always and maybe the session dont close well and that why look like various conexions, if i restart the pi and output that again i get this
osmc@Pi:~$ sudo systemctl status sshd
* ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: active (running) since Sat 2017-06-10 14:39:05 CEST; 2s ago
Main PID: 7639 (sshd)
CGroup: /system.slice/ssh.service
|-7620 sshd: osmc [priv]
|-7622 sshd: osmc@pts/0
|-7623 -bash
|-7639 /usr/sbin/sshd -D
|-7641 sudo systemctl status sshd
`-7642 systemctl status sshd
The only repository that i have added is one for installing the noip service, but when i updated my router and got this function i removed the service and the source from source list. Other than than i maybe ii tried sometime to install the ssh server form comand line and not from myosmc store, but for that i didnt add any repository
Already did that, this are all the ssh related packages that i got installed they are right?
osmc@Pi:~$ dpkg --get-selections | grep ssh
libssh-4:armhf install
libssh2-1:armhf install
openssh-client install
openssh-server install
openssh-sftp-server install
ssh-app-osmc install
So you removed that in the meantime?
Yeah i remove it when u guys told me in the earlier commnets, and like i said i did not add this repository, i added another one for the noip sevice months ago that i removre 2 weeks later because i didnt need it, and im not sure but i think i got that unstable repository since i fresh install osmc on my pi
OK, than I really suggest you do a clean reinstall if ghosts add repositories to your sources.list
And for my previos question is normal that i hace this many sah services installed?
osmc@Pi:~$ dpkg --get-selections | grep ssh
libssh-4:armhf install
libssh2-1:armhf install
openssh-client install
openssh-server install
openssh-sftp-server install
ssh-app-osmc install
yes
osmc@osmc:~$ dpkg --get-selections | grep ssh
libssh-4:armhf install
libssh2-1:armhf install
openssh-client install
openssh-server install
openssh-sftp-server install
ssh-app-osmc install