Kill that S..
I thought that it would be good to share how to identify suspicious/stale SSH connections and drop/kill that connection. *NIX gurus, please do not reprimand as this subject is very noob-like and totally basic from your perspectives. Unfortunately, for the rest of us, things may not be as intuitive so we, including myself, need help from time to time.
So, last night, I had connected via SSH to my Linux server and forgot about it. For whatever reason, the server kept the connection "live" but when I tried to type commands this morning, I received no feedback. So, I opened up a new terminal, opened a new SSH connection and took care of the issue.
So, what to do?
Step 1: Open terminal from Linux laptop (Mac users: you'll have to go to your Applications -> Utilities directory. PC users: you'll need to use a third party application like PuTTY).
Step 2: Initiate the SSH connection by typing the following: ssh username@hostname.dom/IP_address. FYI, the '.' is not part of the command; simply grammatical. Caution: If you've specified a different TCP port in your /etc/ssh/sshd_config file than the standard port 22, you will need to append the following to your command -p 1234 (replace 1234 with your port number).
Step 3: Find out who is currently connected to the system by issuing the following command at the prompt: who. You should see output similar to what I've listed below:
user pts/0 2014-06-04 09:21 (connection_origin_your_modem/ISP_information)
user pts/2 2014-06-04 09:59 (connection_origin_your_modem/ISP_information)
According to the time stamp, I know that the connection (pts/0) is the stale connection.
Step 4: Now, we'll find out the PID (process ID) for the connections we've found. We'll need the following command ps -axf | grep pts. By the way, the '.' is not part of the command, it's only grammatical. Issuing the command will provide information similar to the following:
user@host:~$ ps -axf | grep pts
9231 ? S 0:00 | \_ sshd: user@pts/0
9232 pts/0 Ss+ 0:00 | \_ -bash
9270 ? S 0:00 \_ sshd: user@pts/2
9271 pts/2 Ss 0:00 \_ -bash
9282 pts/2 R+ 0:00 \_ ps -axf
9283 pts/2 S+ 0:00 \_ grep --color=auto pts
As we had determined above, pts/0 is the stale connection. So, we will kill it. The PID is 9231.
Step 5: Now, we'll pretend to be the digital grim reaper. Instead of using the scythe; however, we'll use the command: kill 9213. As explained above '.' is not part of the command; only grammatical. We can confirm that we've successfully killed the stale connection in one of two ways. First way is to use the who command and the second way is to issue the ps -axf | grep pts command.
Step 5a: Upon entering the who command, you'll see output similar to the following:
user@host:~$ who
user pts/2 2014-06-04 09:59 (connection_origin_your_modem/ISP_information)
As you can see, the pts/0 connection from 2014-06-04 09:21 is no longer present; connection has been dropped!
Step 5b: Upon entering the ps -axf | grep pts command, you'll see output similar to the following:
user@host:~$ ps -axf | grep pts
9270 ? R 0:00 \_ sshd: user@pts/2
9271 pts/2 Ss 0:00 \_ -bash
9284 pts/2 R+ 0:00 \_ ps -axf
9285 pts/2 S+ 0:00 \_ grep --color=auto pts
Once again, we're able to confirm that the pts/0 process/connection is not longer there. The parent process 9231, along with it's child processes have been killed.
***Disclaimer: Kill is a command and terminology used in *NIX land. Please, I hope that people do not take kill to mean something different: as in killing living things. So, yeah, don't read this post and go around killing things.***