SSHD on port 6011/6010 ?
Dear List, I have a question about SSHD: Since I installed SuSE 7.2 (about a week ago), I keep getting a strange entry in the seccheck reports (very nice script, well done!): + sshd root TCP *:6010 (LISTEN) Alarmed by this entry, I ran tripwire on the box, but it could not find any changed binaries. The entry is also not permanent, it does disappear and come back and I have, to be honest, no clear impression of what's going on. I have a few users on my box, most of them run a bounce or BitchX or some eggdrops; even an IRCU is present. As for running services, there is apache with PHP, Perl and Phyton on port 80, OpenSSH on port 22, Identd on port 113, postfix on port 25 and a firewalled XNTPD on port 123. When I ssh to the port (6010) while it is open, I get an SSH login. It seems to be the standard sshd running on the box, since logging into /var/log/messages occurs. I have also noticed, that the port has changed from 6011 to 6010. Right now it is closed again, whereas this morning, aroung 4:30am, it was open. Very weird. In /etc/ssh/sshd_config, it looks like this: <snip> Port 22 Protocol 1,2 ListenAddress 212.117.195.110 #ListenAddress :: </snip> So I dont think that SSHD listening on 6010 is legit? Or might it have to do with IPv6 support? I commented out the ListenAddress, since I do not wish to support ipv6 as long as the box is not connected to the 6bone ;-) Another theory would be that it has to do with X11 forwarding, but thats disabled in sshd config, too... Any comments and suggestions apperciated. Chr Burri .-. /v\ L I N U X // \\ >Phear the Penguin< /( )\ ^^-^^
christian.burri@synecta.ch wrote:
+ sshd root TCP *:6010 (LISTEN)
Any comments and suggestions apperciated.
this is the x forward port, if you logged on, this port is opened and DISPLAY is set to the port so that you can start a x app and it shows up on your local system. Sven -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
* Sven Michels
christian.burri@synecta.ch wrote:
+ sshd root TCP *:6010 (LISTEN)
Any comments and suggestions apperciated. this is the x forward port, if you logged on, this port is opened and DISPLAY is set to the port so that you can start a x app and it shows up on your local system.
In this case export DISPLAY :10.0 (bash and friends) setenv DISPLAY :10.0 (csh and friends) If you have more than one ssh connection to that box, you will see more connections (6011 DISPLAY=:11.0, 6012 DISPLAY=:12.0 &c &c) Currently listening to: - Smashing Pumpkins, Chicago, 11 () Gerhard, <@jasongeo.com> == The Acoustic Motorbiker == -- __O Standing above the crowd, he had a voice so strong and loud =`\<, we'll miss him (=)/(=) Ranting and pointing his finger, At everything but his heart we'll miss him
Gerhard den Hollander wrote:
this is the x forward port, if you logged on, this port is opened and DISPLAY is set to the port so that you can start a x app and it shows up on your local system.
In this case export DISPLAY :10.0 (bash and friends) setenv DISPLAY :10.0 (csh and friends) didn't need, that should be done automaticly after the login..
Sven -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
On Mon, Aug 20, 2001 at 02:23:48PM +0200, christian.burri@synecta.ch wrote:
I have a question about SSHD: Since I installed SuSE 7.2 (about a week ago), I keep getting a strange entry in the seccheck reports (very nice script, well done!):
+ sshd root TCP *:6010 (LISTEN)
Alarmed by this entry, I ran tripwire on the box, but it could not find any changed binaries. The entry is also not permanent, it does disappear and come back and I have, to be honest, no clear impression of what's going on.
In order to provide X forwarding, sshd creates virtual X interfaces at X (6000) + interface (10 or higher) = 6010 or higher.
Another theory would be that it has to do with X11 forwarding, but thats disabled in sshd config, too...
But this is not enforced. The users can enable it with the "-X" option or by an entry in their local $HOME/.ssh/ssh_config files. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
So I dont think that SSHD listening on 6010 is legit? Or might it have to do with IPv6 support?
This is X11-forwarding. As long as you're logged on and your client has requested X11-forwarding, you'll have that port open. If two clients w/ X11-forwarding have connected, then you have ports 6010 and 6011 bound. The configuration item X11DisplayOffset tells the sshd which $DISPLAY variable to set. port 6000 + $DISPLAY is the port that will be used by a client program on the remote side to connect to the daemon that forwards the X11-connection to the local side's X-server.
Another theory would be that it has to do with X11 forwarding, but thats disabled in sshd config, too...
Seems to be wrong, somehow.
Roman.
--
- -
| Roman Drahtmüller
participants (5)
-
christian.burri@synecta.ch
-
Gerhard den Hollander
-
Lutz Jaenicke
-
Roman Drahtmueller
-
Sven Michels