Does "ESTABLISHED" state in netstat command for the sshd program mean they actually have access?
I have this person(or bot) from an IP in Chile which has an "ESTABLISHED" connection to SSHD as root on my server.
I'm trying to understand what netstat's outputs really mean, the manual doesn't really provide much details about them. Here's what I get:
root@linode [~]# netstat -tanpc|grep 200.29.174.125
tcp 0 840 45.33.71.204:22 200.29.174.125:40506 ESTABLISHED 12016/sshd
tcp 0 21 45.33.71.204:22 200.29.174.125:40792 ESTABLISHED 12020/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:41079 SYN_RECV -
tcp 0 1 45.33.71.204:22 200.29.174.125:40792 FIN_WAIT1 -
tcp 0 84 45.33.71.204:22 200.29.174.125:41079 ESTABLISHED 12022/sshd
tcp 0 52 45.33.71.204:22 200.29.174.125:41353 ESTABLISHED 12024/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:41661 ESTABLISHED 12026/sshd
tcp 0 720 45.33.71.204:22 200.29.174.125:41959 ESTABLISHED 12028/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:42208 ESTABLISHED 12030/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:42509 ESTABLISHED 12032/sshd
tcp 0 21 45.33.71.204:22 200.29.174.125:42810 ESTABLISHED 12034/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:43094 SYN_RECV -
tcp 0 84 45.33.71.204:22 200.29.174.125:43094 ESTABLISHED 12036/sshd
tcp 0 52 45.33.71.204:22 200.29.174.125:43362 ESTABLISHED 12038/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:43676 ESTABLISHED 12040/sshd
tcp 0 720 45.33.71.204:22 200.29.174.125:43936 ESTABLISHED 12042/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:44229 ESTABLISHED 12044/sshd
tcp 0 840 45.33.71.204:22 200.29.174.125:44566 ESTABLISHED 12047/sshd
tcp 0 21 45.33.71.204:22 200.29.174.125:44844 ESTABLISHED 12056/sshd
tcp 0 0 45.33.71.204:22 200.29.174.125:45079 SYN_RECV -
tcp 0 84 45.33.71.204:22 200.29.174.125:45079 ESTABLISHED 12058/sshd
What I understand from the above output is that this person(or bot?) is changing ports every second and so a new PID for SSHD is created every time he(or it) "establishes" a connection. Am I right?
Next and more important thing I'd like to ask is does the "ESTABLISHED" state here mean that he(or it) actually has access to my server as the root user? Or if I'm right at my assumption above, does this mean he(or it) is scanning for ports in my server, still trying to get in?
Established only means that the connection is fully open and data can be transmitted. It doesn't necessarily mean that any data has been transmitted! It doesn't imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully.