[CentOS] IPTABLEs and port scanning
jfranz at freerun.com
Tue Jan 5 16:49:28 UTC 2010
James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd: Failed password
> for root from 126.96.36.199 port 34504 ssh2
> . . .
> As you can see, the ports are not those associated with the service
> requested. SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall. There
> presence inoculates a doubt in my mind that things are properly
> I would appreciate any insight as to why these attempts are
> nonetheless logged by sshd
You are mis-interpreting the log entries. The port shown is the remote
port not your local port. When a SSH connection is set up you have
remote_address:some_high_port <-> local_address:22
What you are seeing in the log is the 'some_high_port' of the remote
address. It's a normal part of a TCP connection.
If your brute force protection is not catching the repeated login
failures, you should check its configuration.
More information about the CentOS