James B. Byrne wrote:
I see many entries in /var/log/secure similar to these:
. . . /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password for root from 93.89.144.31 port 60100 ssh2 /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password for root from 93.89.144.31 port 60962 ssh2 /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password for root from 93.89.144.31 port 33612 ssh2 /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password for root from 93.89.144.31 port 34504 ssh2 . . .
As you can see, the ports are not those associated with the service requested. SSHD is configured to listen on the standard port (22) and only on a single IP address that is supposed to be reachable only from the internal network (this is a multi-homed system configured as a gateway).
[SNIP]
My confusion is over why these things are making it into the logs at all when sshd does not listen on those ports and the ports themselves are supposed to inaccessible through the firewall. There presence inoculates a doubt in my mind that things are properly configured.
Those port numbers (60100, 60962, 33612, 34504) are source ports, not destination ports. As for why they are getting through your firewall and being seen by sshd, a thorough review of your firewall rules would be needed to determine that. Indeed, it is quite doubtful that things are properly configured.