Re: IPTABLEs and port scanning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
> [...]
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from 93.89.144.31 port 34504 ssh2
> . . .
>
> As you can see, the ports are not those associated with the service
> requested.  SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
> [...]
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall.  There
> presence inoculates a doubt in my mind that things are properly
> configured.
>
> I would appreciate any insight as to why these attempts are
> nonetheless logged by sshd

You are mis-interpreting the log entries. The port shown is the remote 
port not your local port. When a SSH connection is set up you have 
something like:

remote_address:some_high_port   <-> local_address:22

What you are seeing in the log is the 'some_high_port' of the remote 
address. It's a normal part of a TCP connection.

If your brute force protection is not catching the repeated login 
failures, you should check its configuration.

-- 
Benjamin Franz

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux