Question

Constant flow of SSH packets on eth0 interface

Posted May 31, 2021 46 views
Networking

I’m getting a constant flow of SSH packets in my droplet and I do not fully understand as to why, if someone could enlighten me:

12:13:24.985673 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6561840:6562108, ack 3241, win 501, length 268
12:13:24.985907 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562108:6562272, ack 3241, win 501, length 164
12:13:24.986141 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562272:6562436, ack 3241, win 501, length 164
12:13:24.986416 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562436:6562600, ack 3241, win 501, length 164
12:13:24.986647 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562600:6562764, ack 3241, win 501, length 164
12:13:24.987022 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562764:6562928, ack 3241, win 501, length 164
12:13:24.987366 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6562928:6563092, ack 3241, win 501, length 164
12:13:24.987737 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6563092:6563256, ack 3241, win 501, length 164
12:13:24.987831 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6555300, win 39, length 0
12:13:24.987856 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6555628, win 38, length 0
12:13:24.987878 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6555956, win 37, length 0
12:13:24.987887 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6556284, win 35, length 0
12:13:24.987904 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6556612, win 34, length 0
12:13:24.987913 IP 130.226.132.96.49190 > 64.225.111.81.ssh: Flags [.], ack 6556940, win 33, length 0
12:13:24.988436 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6563256:6563548, ack 3241, win 501, length 292
12:13:24.988601 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6563548:6563840, ack 3241, win 501, length 292
12:13:24.988937 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6563840:6564132, ack 3241, win 501, length 292
12:13:24.989338 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6564132:6564424, ack 3241, win 501, length 292
12:13:24.989763 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6564424:6564684, ack 3241, win 501, length 260
12:13:24.990206 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6564684:6564848, ack 3241, win 501, length 164
12:13:24.990498 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6564848:6565012, ack 3241, win 501, length 164
12:13:24.990921 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6565012:6565176, ack 3241, win 501, length 164
12:13:24.991303 IP 64.225.111.81.ssh > 130.226.132.96.49190: Flags [P.], seq 6565176:6565340, ack 3241, win 501, length 164

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi @ibmo96,

That’s normal, you can disregard those, they are not concerning.

You can check the following article, it should provide more information and make it clearer :

https://www.trisul.org/blog/traffic-analysis-of-secure-shell-ssh/

I’ve had such outputs on all servers I’ve worked on.

Hello, @ibmo96

If you’re interacting with the droplet via ssh this will leave a log on the droplet itself. You can check if the listed IP address is yours as this will explain the activity in the logs.

You can also check other logs like /var/log/secure for CentOS and /var/log/auth.log for Ubuntu as these logs will give you additional information about the sshd activity

Hope that this helps!
Regards,
Alex