I'm having some suspicious SSH activity, apparently originating from my computer (OSX Sierra)... for this reason I am trying to determine why, and more specifically from where this is happening.
I'm basically looking for something to track ssh calls, the following seems to work to reveal which process PID makes the call. I choose to check every 15 seconds (perhaps this should be even lower)
lsof -r 15 -i -a -c ssh
for this process I would then like to run ps -fp <PID> for information about the program that is making these ssh requests.
I'd like to automate this (run ps -fp for any ssh activity found) and log the resulting information.
I have no real experience making scripts, if anyone could help me make this possible any help would be greatly appreciated.
Hmm, Not sure if this will work on a Mac, but this may get you started:
while [[ 1 ]] ; do echo "## $(date) ##" ; S_PIDS=$(lsof -i -a -c ssh | awk '/ssh/ {print $2}') ; ps -fp ${S_PIDS} ; sleep 15 ; done
Or, to log the info:
while [[ 1 ]] ; do echo "## $(date) ##" ; S_PIDS=$(lsof -i -a -c ssh | awk '/ssh/ {print $2}') ; ps -fp ${S_PIDS} ; sleep 15 ; done | tee /tmp/ssh.log
:)
Dale