Does "ESTABLISHED" state in netstat command for the sshd program mean they actually have access?

Nim LeFleur asked:

I have this person(or bot) from an IP in Chile which has an “ESTABLISHED” connection to SSHD as root on my server.

I’m trying to understand what netstat’s outputs really mean, the manual doesn’t really provide much details about them. Here’s what I get:

root@linode [~]# netstat -tanpc|grep 200.29.174.125
tcp        0    840 45.33.71.204:22             200.29.174.125:40506        ESTABLISHED 12016/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:40792        ESTABLISHED 12020/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:41079        SYN_RECV    -
tcp        0      1 45.33.71.204:22             200.29.174.125:40792        FIN_WAIT1   -
tcp        0     84 45.33.71.204:22             200.29.174.125:41079        ESTABLISHED 12022/sshd
tcp        0     52 45.33.71.204:22             200.29.174.125:41353        ESTABLISHED 12024/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:41661        ESTABLISHED 12026/sshd
tcp        0    720 45.33.71.204:22             200.29.174.125:41959        ESTABLISHED 12028/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:42208        ESTABLISHED 12030/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:42509        ESTABLISHED 12032/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:42810        ESTABLISHED 12034/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:43094        SYN_RECV    -
tcp        0     84 45.33.71.204:22             200.29.174.125:43094        ESTABLISHED 12036/sshd
tcp        0     52 45.33.71.204:22             200.29.174.125:43362        ESTABLISHED 12038/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:43676        ESTABLISHED 12040/sshd
tcp        0    720 45.33.71.204:22             200.29.174.125:43936        ESTABLISHED 12042/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:44229        ESTABLISHED 12044/sshd
tcp        0    840 45.33.71.204:22             200.29.174.125:44566        ESTABLISHED 12047/sshd
tcp        0     21 45.33.71.204:22             200.29.174.125:44844        ESTABLISHED 12056/sshd
tcp        0      0 45.33.71.204:22             200.29.174.125:45079        SYN_RECV    -
tcp        0     84 45.33.71.204:22             200.29.174.125:45079        ESTABLISHED 12058/sshd

What I understand from the above output is that this person(or bot?) is changing ports every second and so a new PID for SSHD is created every time he(or it) “establishes” a connection. Am I right?

Next and more important thing I’d like to ask is does the “ESTABLISHED” state here mean that he(or it) actually has access to my server as the root user? Or if I’m right at my assumption above, does this mean he(or it) is scanning for ports in my server, still trying to get in?

My answer:


Established only means that the connection is fully open and data can be transmitted. It doesn’t necessarily mean that any data has been transmitted! It doesn’t imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.