How do I find which software is doing an SSH connection?

I use a key (not password) to ssh into a server, but my IP address is frequently banned by the server.

After looking into the server auth.log, I found that someone (or some software) is trying every 10-20 minutes to ssh with the wrong password.

Jun 15 21:23:26 www sshd[31046]: Failed password for git from 218.81.128.80 port 37012 ssh2
Jun 15 21:23:26 www sshd[31046]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37012 ssh2 [preauth]
Jun 15 21:23:26 www sshd[31046]: Disconnecting authenticating user git 218.81.128.80 port 37012: Too many authentication failures [preauth]
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: Failed password for git from 218.81.128.80 port 37146 ssh2
Jun 15 21:33:26 www sshd[31931]: error: maximum authentication attempts exceeded for git from 218.81.128.80 port 37146 ssh2 [preauth]
Jun 15 21:33:26 www sshd[31931]: Disconnecting authenticating user git 218.81.128.80 port 37146: Too many authentication failures [preauth]
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: Failed password for git from 101.81.237.208 port 37384 ssh2
Jun 15 21:53:26 www sshd[870]: error: maximum authentication attempts exceeded for git from 101.81.237.208 port 37384 ssh2 [preauth]
Jun 15 21:53:26 www sshd[870]: Disconnecting authenticating user git 101.81.237.208 port 37384: Too many authentication failures [preauth]

I'm using pycharm/phpstorm, etc., and created a Git server on my server.

I've checked the settings for these two software packages and have no idea what is happening. I even changed my computer, but it made no difference.


Actually, I found the answer.

It's a pycharm plugin called Git Integration.

After I disabled this plugin, the problem was solved.


sudo lsof | grep ssh | grep git| grep IPv4 on the client machine that's doing it should tell you what's doing it at the time.

lsof will tell you what's using a file (and everything is a file in *nix). We're filtering for ssh and your username and IPv4 connections

You would need to do this while your system is trying to log in.

Simply removing the git user would likely just hide the problem - since there's something running that's sshing into the other machine.


I know you already solved your problem but I had another idea I just wanted to mention.

You could replace the original SSH executable with a shell script that records the parent PID and then execs the original SSH.

Didn't test this but should work like:

#!/bin/bash

echo $(date) $PPID $* >> recordfile.log
exec ssh.orig "$@"