Score:1

Server

Does FIN-WAIT-1 mean I was hacked?

Eugene Epifanov

3/2/23, 7:08 PM

I'm very new to server security and this is my first post here. Recently, my server has been experiencing many SSH login attempts from unknown sources.

A couple of minutes ago I logged in to the server and decided to checkout tcp sockets by issuing ss -t command and discovered a socket in FIN-WAIT-1 state. I'm not sure what to think about it. Has someone successfully connected?

State                Recv-Q            Send-Q                        Local Address:Port                         Peer Address:Port            
FIN-WAIT-1           0                 69                            139.132.21.45:ssh                        123.156.225.58:36092

Also last command gives me these entries, but I did not login as root today.

root     ttyS0                         Tue Nov  2 17:10   still logged in
reboot   system boot  4.15.0-161-gener Tue Nov  2 17:10   still running

Should I be worried?

331

0 + 0

security

ubuntu

ssh

Score:4

Server

Massimo

3/2/23, 7:43 PM

Has someone successfully connected?

Yes, but this doesn't actually mean anything; it only says a TCP connection was established and then closed. There is no relationship with what the remote user was or was not able to do.

Case in point: you connect to a remote host using SSH, then you provide wrong credentials; the server will close the connection. A connection closed by the server will go (for a while) in a FIN-WAIT-1 state. But nobody actually logged it, it was simply a failed login attempt.

my server has been experiencing many SSH login attempts from unknown sources.

If you catch one of those attempts immediately after it failed, a socket in the FIN-WAIT-1 state is exactly what you would see at the network level.

Having said all of the above, you should put some kind of firewall in front of your server (or at the very least configure the system firewall to only allow logins from known, trusted sources); if you leave any computer exposed to the public Internet on common remote administration ports (SSH, RDP, etc.), you are just asking for troubles.

0 + 0

Eugene Epifanov

3/5/23, 9:32 AM

sir, thank you very much. That's exactly what I needed to know! Have a great day!

Massimo

3/5/23, 11:04 AM

My pleasure. If you found the answer useful, remember to upvote and accept it.

Score:3

Server

vidarlo

3/2/23, 7:19 PM

No. It means that the socket is closed. It's a TCP State.

0 + 0

Score:1

Server

borcan22

3/6/23, 12:32 PM

You can see in real time the connection attempts to your machine with "tcpdump -v dst host {your_ip_ext} and 'tcp[tcpflags] == tcp-syn' "

0 + 0

Eugene Epifanov

3/7/23, 2:45 PM

hey, thank you for this! Have a great day!

Score:0

Server

user955375

6/17/23, 8:02 AM

when you see FIN-WAIT-1 in your machine netstat, it tells that

your machine is the active closer of this connection, it send a FIN to the peer to close the connection. Then your machine will enter state FIN-WAIT-1
To clear the FIN-WAIT-1 stat, your machine must receive an acknowledgement packet of the FIN packet above, if it receive the ACK packet, then it will enter FIN-WAIT-2

So, if the stat stuck at FIN-WAIT-1 , it means

The FIN packet never reach the peer , so peer will never send an ACK packet
The FIN packet reach the peer, somehow the peer does not want to respond an ACK packet
The FIN packet reach the peer, and responded the ACK packet, but the ACK packet is being dropped by some device in the path back to your machine