Does "ESTABLISHED" state in netstat command for the sshd program mean they actually have access?

Nim LeFleur asked:

I have this person(or bot) from an IP in Chile which has an “ESTABLISHED” connection to SSHD as root on my server.

I’m trying to understand what netstat’s outputs really mean, the manual doesn’t really provide much details about them. Here’s what I get:

root@linode [~]# netstat -tanpc|grep
tcp        0    840           ESTABLISHED 12016/sshd
tcp        0     21           ESTABLISHED 12020/sshd
tcp        0      0           SYN_RECV    -
tcp        0      1           FIN_WAIT1   -
tcp        0     84           ESTABLISHED 12022/sshd
tcp        0     52           ESTABLISHED 12024/sshd
tcp        0      0           ESTABLISHED 12026/sshd
tcp        0    720           ESTABLISHED 12028/sshd
tcp        0      0           ESTABLISHED 12030/sshd
tcp        0      0           ESTABLISHED 12032/sshd
tcp        0     21           ESTABLISHED 12034/sshd
tcp        0      0           SYN_RECV    -
tcp        0     84           ESTABLISHED 12036/sshd
tcp        0     52           ESTABLISHED 12038/sshd
tcp        0      0           ESTABLISHED 12040/sshd
tcp        0    720           ESTABLISHED 12042/sshd
tcp        0      0           ESTABLISHED 12044/sshd
tcp        0    840           ESTABLISHED 12047/sshd
tcp        0     21           ESTABLISHED 12056/sshd
tcp        0      0           SYN_RECV    -
tcp        0     84           ESTABLISHED 12058/sshd

What I understand from the above output is that this person(or bot?) is changing ports every second and so a new PID for SSHD is created every time he(or it) “establishes” a connection. Am I right?

Next and more important thing I’d like to ask is does the “ESTABLISHED” state here mean that he(or it) actually has access to my server as the root user? Or if I’m right at my assumption above, does this mean he(or it) is scanning for ports in my server, still trying to get in?

My answer:

Established only means that the connection is fully open and data can be transmitted. It doesn’t necessarily mean that any data has been transmitted! It doesn’t imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.