Does FIN-WAIT-1 mean I was hacked?
I'm very new to server security and this is my first post here. Recently, my server has been experiencing many SSH login attempts from unknown sources.
A couple of minutes ago I logged in to the server and decided to checkout tcp sockets by issuing ss -t command and discovered a socket in FIN-WAIT-1 state.
I'm not sure what to think about it. Has someone successfully connected?
State Recv-Q Send-Q Local Address:Port Peer Address:Port
FIN-WAIT-1 0 69 139.132.21.45:ssh 123.156.225.58:36092
Also last command gives me these entries, but I did not login as root today.
root ttyS0 Tue Nov 2 17:10 still logged in
reboot system boot 4.15.0-161-gener Tue Nov 2 17:10 still running
Should I be worried?
Solution 1:
Has someone successfully connected?
Yes, but this doesn't actually mean anything; it only says a TCP connection was established and then closed. There is no relationship with what the remote user was or was not able to do.
Case in point: you connect to a remote host using SSH, then you provide wrong credentials; the server will close the connection. A connection closed by the server will go (for a while) in a FIN-WAIT-1 state. But nobody actually logged it, it was simply a failed login attempt.
my server has been experiencing many SSH login attempts from unknown sources.
If you catch one of those attempts immediately after it failed, a socket in the FIN-WAIT-1 state is exactly what you would see at the network level.
Having said all of the above, you should put some kind of firewall in front of your server (or at the very least configure the system firewall to only allow logins from known, trusted sources); if you leave any computer exposed to the public Internet on common remote administration ports (SSH, RDP, etc.), you are just asking for troubles.
Solution 2:
No. It means that the socket is closed. It's a TCP State.
Solution 3:
You can see in real time the connection attempts to your machine with "tcpdump -v dst host {your_ip_ext} and 'tcp[tcpflags] == tcp-syn' "