Kill An Established Connection on DD-WRT and TP-LINK Router
So I had an established connection on my router that didn't look like it belonged. I didn't recognize the device and it wasn't pingable so it was probably a stale old connection. In this case it was one of my mobile devices which went offline sometime back but didn't close the connection. On most systems I can use LSOF to check on the open files from the PID that's listed from netstat but lsof isn't installed on DD-WRT:
In this case, we can get teh PID from netstat -nap then list the processes that will hopefully tell us what connection that is:
root@DD-WRT-INTERNET:~# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
……
tcp 0 0 192.168.0.1:22 192.168.0.17:49858 ESTABLISHED 17700/dropbear
tcp 0 132 192.168.0.1:22 192.168.0.15:51286 ESTABLISHED 5220/dropbear
tcp 0 0 192.168.0.1:22 42.205.232.251:12233 ESTABLISHED 4869/dropbear
tcp 0 37 192.168.0.1:56031 192.168.0.10:3389 ESTABLISHED 4803/dropbear
tcp 0 0 192.168.0.1:22 42.205.232.251:1898 ESTABLISHED 4803/dropbear
…..
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 2262658 821/process_monitor
unix 3 [ ] STREAM CONNECTED 2262657 821/process_monitor
unix 2 [ ] DGRAM 2262489 16941/dnsmasq
root@DD-WRT-INTERNET:~# ps|grep dropbear
4803 root 1480 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
4869 root 1332 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
5220 root 1028 R dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
16962 root 972 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
17700 root 1664 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
root@DD-WRT-INTERNET:~#
Looking at the above, we clearly see that which process holds that connection and makes the job easy.
root@DD-WRT-INTERNET:~# which strace
root@DD-WRT-INTERNET:~# kill 17700
root@DD-WRT-INTERNET:~# ps|grep dropbear
4803 root 1480 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
4869 root 1332 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
5220 root 1028 R dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
16962 root 972 S dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22
root@DD-WRT-INTERNET:~# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
…..
tcp 0 1 192.168.0.1:22 192.168.0.17:49858 FIN_WAIT1 –
tcp 0 132 192.168.0.1:22 192.168.0.15:51286 ESTABLISHED 5220/dropbear
tcp 0 0 192.168.0.1:22 42.205.232.251:12233 ESTABLISHED 4869/dropbear
tcp 0 37 192.168.0.1:56031 192.168.0.10:3389 ESTABLISHED 4803/dropbear
tcp 0 0 192.168.0.1:22 42.205.232.251:1898 ESTABLISHED 4803/dropbear
…..
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 2262658 821/process_monitor
unix 3 [ ] STREAM CONNECTED 2262657 821/process_monitor
unix 2 [ ] DGRAM 2262489 16941/dnsmasq
root@DD-WRT-INTERNET:~#