Unrecognized SSH access on server?

I'm running a basic Ubuntu server from Digital Ocean, which I use an SSH key (stored on my Desktop) to access.

I've just run netstat -ap with the following result:

Local Address     Foreign Address        State        PID
XX.XXX.XX.192  183.214.141.105:53929   ESTABLISHED 25193/sshd: root [p 

This isn't me, I've searched the IP and it's under a number of banned lists and originates from China.

My Questions:

1) As the state is 'ESTABLISHED', does that mean they have access to my server via SSH? Or is this brute force attempts to gain entry?

2) How could my server of been compromised? I'm not aware brute force can work on SSH keys? Wouldn't they have to access my key on my Desktop?


1) Established only means that the connection is fully open and data can be transmitted. It doesn't necessarily mean that any data has been transmitted! It doesn't imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully. (source)

2) Maybe. You are going to need to check your logs and see if someone has authenticated successfully. On Ubuntu, ssh logs can be found in /var/log/auth

https://unix.stackexchange.com/questions/127432/logging-ssh-access-attempts

Don't forget that you can bruteforce the passphrase of an ssh key.

On a side note, rebuilding a private key from a public one is technically currently impossible

https://security.stackexchange.com/questions/33238/brute-forcing-ssh-keys

I would recommend to use some two factor authentication with ssh and Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures