2
axfelix@shoebox:~$ ps aux | grep sshd
root      1182  0.0  0.0  65612  6620 ?        Ss   Apr28   0:02 /usr/sbin/sshd -D
root      1857  1.0  0.0 107080  7052 ?        Ss   11:23   0:00 sshd: root [priv]
sshd      1858  0.0  0.0  66956  3228 ?        S    11:23   0:00 sshd: root [net]
root      1859  1.2  0.0 107080  7160 ?        Ss   11:23   0:00 sshd: root [priv]
sshd      1860  0.0  0.0  66956  3220 ?        S    11:23   0:00 sshd: root [net]
axfelix   1862  0.0  0.0  15240   936 pts/5    S+   11:23   0:00 grep --color=auto sshd
axfelix@shoebox:~$ pstree -p 1182
sshd(1182)─┬─sshd(1859)───sshd(1860)
           └─sshd(1863)───sshd(1864)
axfelix@shoebox:~$ pstree -p 1182
sshd(1182)─┬─sshd(1884)───sshd(1885)
           └─sshd(1886)───sshd(1887)

any idea what this is about?

Jakuje
  • 6,605
  • 7
  • 30
  • 37
serilain
  • 508
  • Do you have a lot of folks sshing into your machine? You'll see an sshd process for each session (including such things as scp). – DopeGhoti Apr 29 '16 at 18:26

2 Answers2

0

Oh, looks like someone was trying to break into my machine :)

Turned off the port 22 forwarding rule on my route for now and they've gone away.

serilain
  • 508
0

It is normal behavior when somebody is trying to connect to your computer. There are two new processes for each connection. And all the public IP addresses in the wild of the Internet are scanned by the bots, hacker, or just researchers.

If you plan to run ssh on public IP (or forwarding on the router to your PC), it is a good idea to disable password authentication and set up fail2ban at least.

Jakuje
  • 6,605
  • 7
  • 30
  • 37