[CentOS] IPTABLEs and port scanning

James B. Byrne byrnejb at harte-lyne.ca
Tue Jan 5 15:30:34 UTC 2010


I see many entries in /var/log/secure similar to these:

. . .
/var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
for root from 93.89.144.31 port 60100 ssh2
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
for root from 93.89.144.31 port 60962 ssh2
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
for root from 93.89.144.31 port 33612 ssh2
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
for root from 93.89.144.31 port 34504 ssh2
. . .

As you can see, the ports are not those associated with the service
requested.  SSHD is configured to listen on the standard port (22)
and only on a single IP address that is supposed to be reachable
only from the internal network (this is a multi-homed system
configured as a gateway).

These are getting through the brute force filters because the
attempts are directed against unchecked ports.  I suspect that these
represent no immediate danger to our systems because there are no
active services on any of the ports and because we have a guillotine
rule at the end of our INPUT chain.  The firewall is configured to
only allow connections to specified ports and to drop any new
connection attempts to all the others.

My confusion is over why these things are making it into the logs at
all when sshd does not listen on those ports and the ports
themselves are supposed to inaccessible through the firewall.  There
presence inoculates a doubt in my mind that things are properly
configured.

I would appreciate any insight as to why these attempts are
nonetheless logged by sshd.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3



More information about the CentOS mailing list