I have a Docker container running SSHD which receives SSH connections from multiple remote machines. I need to identify and terminate the connection coming from one particular machine.
The connections:
ssh
or set in ssh_config
which will make it easier to ID the connections, I have the option to do that.What I know:
What I've tried so far:
ps -aux
will show me the SSHD processes for all the incoming connections. However, I cannot tell which incoming connection comes from which remote machine.cat /proc/net/unix
tells me which socket files are open, but not what processes each one is opened bylsof
is supposed to list which processes have which files open. However, when I tested it by running it when I had a single incoming connection:
/proc/${PID}/cwd
, /proc/${PID}/root
, /proc/${PID}/exe
, and 6-8 numbered files in /proc/${PID}/fd/
Found the solution: lsof
can tell you which processes have a given socket file open. However, Docker, by default, restricts containers such that processes inside the container cannot read /proc/${PID}/fd/${FD_NUM}
, even if the process trying to do the reading is running as root, which is why lsof
couldn't tell what processes had what files opened.
Running the SSHD container with --cap-add=SYS_PTRACE
tells Docker not to block such operations, allowing lsof
to work correctly.
More specifically: lsof -t "${SOCKET_FILE}"
will return a list of PIDs which have the given socket file open.