SSH daemon starts without any reason - sshd is enabled automatically

kravemir · 2015-11-05 13:38:25

I've ran nmap on localhost and it showed that I've got some ports open:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-05 14:17 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000030s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

I did the scan few days ago, it printed me similar results. I have disabled sshd, using:

# systemctl disable sshd
# systemctl stop sshd

But the sshd is somehow enabled again. Why could be ssh enabled on my desktop machine again? Could be my desktop machine somehow compromised? Or it could be some application or update, which enabled sshd?

Last edited by kravemir (2015-11-05 13:38:42)

ayekat · 2015-11-05 13:46:59

Arch doesn't do anything on its own by default. Are you sure it's the SSH server that is running? Have you checked the output of these commands?

systemctl status sshd
pgrep sshd

You can search for applications that have an open port with

lsof -i

EDIT Welcome to the Arch Linux forums, by the way!

Last edited by ayekat (2015-11-05 21:40:47)

Raynman · 2015-11-05 13:53:24

Also check

$ systemctl status sshd.socket

karol · 2015-11-05 21:39:04

What's the output of

uname -a

kravemir · 2015-11-12 07:49:08

I've been very busy last days - work, university. Finally I've got time to investigate it more. Here's output of the commands:

0 ;) miroslav ~ $ systemctl status sshd
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2015-11-12 07:48:34 CET; 55min ago
 Main PID: 770 (sshd)
   CGroup: /system.slice/sshd.service
           └─770 /usr/bin/sshd -D

Nov 12 07:48:34 miroslav-desktop systemd[1]: Started OpenSSH Daemon.
Nov 12 07:48:34 miroslav-desktop sshd[770]: Server listening on 0.0.0.0 port 22.
Nov 12 07:48:34 miroslav-desktop sshd[770]: Server listening on :: port 22.
0 ;) miroslav ~ $ pgrep sshd
770
0 ;) miroslav ~ $ systemctl status sshd.socket
● sshd.socket
   Loaded: loaded (/usr/lib/systemd/system/sshd.socket; disabled; vendor preset: disabled)
   Active: inactive (dead)
   Listen: [::]:22 (Stream)
 Accepted: 0; Connected: 0
3 :( miroslav ~ $ uname -a
Linux miroslav-desktop 4.2.5-1-ARCH #1 SMP PREEMPT Tue Oct 27 08:13:28 CET 2015 x86_64 GNU/Linux
0 ;) miroslav ~ $ sudo nmap localhost
[sudo] password for miroslav: 

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-12 08:45 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000030s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

I did disable ssh, when I started the thread. It enabled itself again, it's strange, because I've got quite similar ArchLinux setup on my laptop, and laptop doesn't enable ssh on its own.

EDIT: Is there workaround, to let it start, but limit it to local connections only, so It won't listen on any IP address, just 127.0.0.1?

Last edited by kravemir (2015-11-12 07:50:32)

ayekat · 2015-11-12 08:47:55

Could you paste the part of the journal around the moment when sshd was started? If you haven't started it yourself, we might see what has triggered it.

Raynman · 2015-11-12 08:49:39

You can see if

$ systemctl show -p WantedBy,RequiredBy sshd.service

shows any units responsible for sshd being started.

kravemir · 2015-11-12 10:38:32

ayekat wrote:

Could you paste the part of the journal around the moment when sshd was started? If you haven't started it yourself, we might see what has triggered it.

If you mean `journalctl -b`, then this is 2610 lines long, is there way to narrow results for this purpose?

$ systemctl show -p WantedBy,RequiredBy sshd.service
RequiredBy=
WantedBy=

Raynman · 2015-11-12 10:54:16

kravemir wrote:

ayekat wrote:
Could you paste the part of the journal around the moment when sshd was started? If you haven't started it yourself, we might see what has triggered it.
If you mean `journalctl -b`, then this is 2610 lines long, is there way to narrow results for this purpose?

You can see a few lines in the `systemctl status` output; that narrows it down to a specific date and time. You can also use "-u sshd.service", but that might be too narrow.

x33a · 2015-11-12 11:19:12

Raynman wrote:

kravemir wrote:
If you mean `journalctl -b`, then this is 2610 lines long, is there way to narrow results for this purpose?
You can see a few lines in the `systemctl status` output; that narrows it down to a specific date and time. You can also use "-u sshd.service", but that might be too narrow.

Or try

journalctl -b | grep -i ssh

Raynman · 2015-11-12 12:27:46

x33a wrote:

Raynman wrote:
kravemir wrote:
If you mean `journalctl -b`, then this is 2610 lines long, is there way to narrow results for this purpose?
You can see a few lines in the `systemctl status` output; that narrows it down to a specific date and time. You can also use "-u sshd.service", but that might be too narrow.
Or try
journalctl -b | grep -i ssh

Or search for ssh in your pager (journalctl probably starts it for you). Then you can also scroll to see nearby lines that the above grep would have discarded.

kravemir · 2015-11-12 12:37:36

Raynman wrote:

x33a wrote:
Raynman wrote:
You can see a few lines in the `systemctl status` output; that narrows it down to a specific date and time. You can also use "-u sshd.service", but that might be too narrow.
Or try
journalctl -b | grep -i ssh
Or search for ssh in your pager (journalctl probably starts it for you). Then you can also scroll to see nearby lines that the above grep would have discarded.

I've grep-ed it with surrounding lines:

$ journalctl -b | grep -i ssh -B 3 -A 2 
Nov 12 07:48:34 miroslav-desktop ntpd[766]: Listen normally on 4 lo [::1]:123
Nov 12 07:48:34 miroslav-desktop ntpd[766]: Listen normally on 5 wlp0s20u2u3 [fe80::225:22ff:fe4c:ce31%3]:123
Nov 12 07:48:34 miroslav-desktop ntpd[766]: Listening on routing socket on fd #22 for interface updates
Nov 12 07:48:34 miroslav-desktop systemd[1]: Started OpenSSH Daemon.
Nov 12 07:48:34 miroslav-desktop sshd[770]: Server listening on 0.0.0.0 port 22.
Nov 12 07:48:34 miroslav-desktop sshd[770]: Server listening on :: port 22.
Nov 12 07:49:18 miroslav-desktop lightdm[583]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Nov 12 07:49:18 miroslav-desktop systemd-logind[492]: Removed session c1.
--
Nov 12 09:53:06 miroslav-desktop NetworkManager[488]: <info>  (tun0): Activation: successful, device activated.
Nov 12 09:53:06 miroslav-desktop systemd[1]: Started Network Manager Script Dispatcher Service.
Nov 12 09:53:06 miroslav-desktop nm-dispatcher[4408]: Dispatching action 'vpn-up' for tun0
Nov 12 09:53:06 miroslav-desktop systemd[1]: Started OpenSSH Daemon.
Nov 12 09:53:06 miroslav-desktop nm-dispatcher[4408]: Dispatching action 'up' for tun0
Nov 12 09:53:06 miroslav-desktop systemd[1]: Started Network Time Service.
Nov 12 09:53:06 miroslav-desktop systemd[1]: Started OpenSSH Daemon.
Nov 12 09:53:08 miroslav-desktop ntpd[766]: Listen normally on 6 tun0 192.168.249.153:123
Nov 12 09:53:08 miroslav-desktop ntpd[766]: new interface(s) found: waking up resolver
--
Nov 12 11:00:44 miroslav-desktop dbus[494]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Nov 12 11:00:44 miroslav-desktop nm-dispatcher[6890]: Dispatching action 'vpn-down' for tun0
Nov 12 11:00:44 miroslav-desktop dbus-daemon[804]: Activating service name='org.freedesktop.secrets'
Nov 12 11:00:44 miroslav-desktop systemd[1]: Stopping OpenSSH Daemon...
Nov 12 11:00:44 miroslav-desktop sshd[770]: Received signal 15; terminating.
Nov 12 11:00:44 miroslav-desktop systemd[1]: Stopped OpenSSH Daemon.
Nov 12 11:00:44 miroslav-desktop nm-dispatcher[6890]: Dispatching action 'down' for tun0
Nov 12 11:00:44 miroslav-desktop dbus-daemon[804]: Successfully activated service 'org.freedesktop.secrets'
Nov 12 11:00:44 miroslav-desktop org.freedesktop.secrets[804]: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
Nov 12 11:00:44 miroslav-desktop ntpd[766]: ntpd exiting on signal 15 (Terminated)
Nov 12 11:00:44 miroslav-desktop systemd[1]: Stopping Network Time Service...
--
Nov 12 11:00:44 miroslav-desktop ntpd[766]: 80.79.25.111 local addr 10.0.0.2 -> <null>
Nov 12 11:00:44 miroslav-desktop ntpd[766]: 147.251.48.140 local addr 10.0.0.2 -> <null>
Nov 12 11:00:44 miroslav-desktop systemd[1]: Stopped Network Time Service.
Nov 12 11:00:44 miroslav-desktop systemd[1]: Stopped OpenSSH Daemon.
Nov 12 11:03:44 miroslav-desktop NetworkManager[488]: <info>  VPN service 'openvpn' disappeared
Nov 12 11:04:31 miroslav-desktop kernel: perf interrupt took too long (2503 > 2495), lowering kernel.perf_event_max_sample_rate to 50100

Could it be Network Manager, because of VPN? But, it was started even when I didn't use VPN,...

x33a · 2015-11-14 08:38:50

I see that the ntp service is started and stopped everytime sshd is started or stopped. You might want to look into that. I cannot imagine how they can be related, but that's all I can tell from these logs.

loqs · 2015-11-15 00:09:29

Do you have networkmanager-dispatcher-sshd installed?

ua4000 · 2015-11-15 08:43:36

kravemir wrote:

I have disabled sshd, using:
# systemctl disable sshd
# systemctl stop sshd

Hi, maybe here is the misunderstanding: "Disable" means: do not start a unit during bootup

You want to try "mask":

# systemctl mask sshd

Mask a unit to make it impossible to start it

Best regards ua4000

ayekat · 2015-11-15 10:24:46

ua4000 wrote:

You want to try "mask"

Although this would solve the issue at hand, it would only fight the symptoms, but not the problem.

Arch Linux

#1 2015-11-05 13:38:25

SSH daemon starts without any reason - sshd is enabled automatically

#2 2015-11-05 13:46:59

Re: SSH daemon starts without any reason - sshd is enabled automatically

#3 2015-11-05 13:53:24

Re: SSH daemon starts without any reason - sshd is enabled automatically

#4 2015-11-05 21:39:04

Re: SSH daemon starts without any reason - sshd is enabled automatically

#5 2015-11-12 07:49:08

Re: SSH daemon starts without any reason - sshd is enabled automatically

#6 2015-11-12 08:47:55

Re: SSH daemon starts without any reason - sshd is enabled automatically

#7 2015-11-12 08:49:39

Re: SSH daemon starts without any reason - sshd is enabled automatically

#8 2015-11-12 10:38:32

Re: SSH daemon starts without any reason - sshd is enabled automatically

#9 2015-11-12 10:54:16

Re: SSH daemon starts without any reason - sshd is enabled automatically

#10 2015-11-12 11:19:12

Re: SSH daemon starts without any reason - sshd is enabled automatically

#11 2015-11-12 12:27:46

Re: SSH daemon starts without any reason - sshd is enabled automatically

#12 2015-11-12 12:37:36

Re: SSH daemon starts without any reason - sshd is enabled automatically

#13 2015-11-14 08:38:50

Re: SSH daemon starts without any reason - sshd is enabled automatically

#14 2015-11-15 00:09:29

Re: SSH daemon starts without any reason - sshd is enabled automatically

#15 2015-11-15 08:43:36

Re: SSH daemon starts without any reason - sshd is enabled automatically

#16 2015-11-15 10:24:46

Re: SSH daemon starts without any reason - sshd is enabled automatically

Board footer