Is my server being hacked in?
Solution 1:
I don't think so, it seems you are just scanned. That sshd user appears there because sshd daemon - IIUC - has priviledge separation and during initial authentication of a user it spawns new process under sshd user.
You can try yourself:
watch -n 0.5 "lsof -ni TCP | grep :ssh"
See first output:
Every 0.5s: lsof -ni TCP | grep :ssh localhost.localdomain: Wed Mar 24 22:07:58 2021
sshd 10010 root 3u IPv4 1532608 0t0 TCP *:ssh (LISTEN)
sshd 10010 root 4u IPv6 1532610 0t0 TCP *:ssh (LISTEN)
And try to login into non-existing user (I assume you allow password authentication here, thus it waits for user password).
ssh jwwj@localhost
Password:
And you should see something like...
Every 0.5s: lsof -ni TCP | grep :ssh localhost.localdomain: Wed Mar 24 22:02:57 2021
sshd 10010 root 3u IPv4 1532608 0t0 TCP *:ssh (LISTEN)
sshd 10010 root 4u IPv6 1532610 0t0 TCP *:ssh (LISTEN)
ssh 11218 jiri 3u IPv4 1543472 0t0 TCP 127.0.0.1:38662->127.0.0.1:ssh (ESTABLISHED)
sshd 11219 root 4u IPv4 1544285 0t0 TCP 127.0.0.1:ssh->127.0.0.1:38662 (ESTABLISHED)
sshd 11220 sshd 4u IPv4 1544285 0t0 TCP 127.0.0.1:ssh->127.0.0.1:38662 (ESTABLISHED)
sshd 11221 root 4u IPv4 1544285 0t0 TCP 127.0.0.1:ssh->127.0.0.1:38662 (ESTABLISHED)
See that my (jiri) local ssh process to localhost caused presence of a process with PID 11220.
(BTW this was tested on OpenSUSE Tumbleweed.)
Info about sshd privsep https://security.stackexchange.com/a/115905/199910 and openssh project's presentation https://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf