LSOF connection established

Question

I was wondering, if the output of

lsof -i 

sshd      21880     root    3r  IPv4 4843515       TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd      21882     mike    3u  IPv4 4843515       TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd      23853     root    3u  IPv6  960417       TCP *:ssh (LISTEN)
sshd      23853     root    4u  IPv4  960419       TCP *:ssh (LISTEN)
sshd      24043     root    3r  IPv4 4871654       TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)
sshd      24044     sshd    3u  IPv4 4871654       TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)

Does that imply that somebody has logged in on the system and is currently doing something? or means it's just trying to log in? I'm not quite sure about it.

Any clues? Thanks

Answer 1

According to this

lsof -i only shows you active tcp connections. So it doesn't tell you if there logged in or still attempting to authenticate.

if you want to check to see who's logged in and from where you can run the "who" command. which will give you a list of the users logged in and where there logged in from (e.g. ssh, tty, etc)

Answer 2

The 'ESTABLISHED' means the TCP connection is established, ie the handshake has been performed on TCP/IP level. This is needed before the ssh process sees any data at all. Theoretically, the connection could be quite long in ESTABLISHED mode without sending any data depending on the timeouts set (on TCP level and/or sshd config). Expect login to occur after it.

To look into it more, use 'iptraf' for monitoring the amount of traffic, or see /var/log/auth.log (at least, on a Debian system) for seeing who succesfully logged on.