IPTABLEs and port scanning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

I see many entries in /var/log/secure similar to these:

. . .
/var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
for root from 93.89.144.31 port 60100 ssh2
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
for root from 93.89.144.31 port 60962 ssh2
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
for root from 93.89.144.31 port 33612 ssh2
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
for root from 93.89.144.31 port 34504 ssh2
. . .

As you can see, the ports are not those associated with the service
requested.  SSHD is configured to listen on the standard port (22)
and only on a single IP address that is supposed to be reachable
only from the internal network (this is a multi-homed system
configured as a gateway).

These are getting through the brute force filters because the
attempts are directed against unchecked ports.  I suspect that these
represent no immediate danger to our systems because there are no
active services on any of the ports and because we have a guillotine
rule at the end of our INPUT chain.  The firewall is configured to
only allow connections to specified ports and to drop any new
connection attempts to all the others.

My confusion is over why these things are making it into the logs at
all when sshd does not listen on those ports and the ports
themselves are supposed to inaccessible through the firewall.  There
presence inoculates a doubt in my mind that things are properly
configured.

I would appreciate any insight as to why these attempts are
nonetheless logged by sshd.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux