On 01/05/2010 03:30 PM, James B. Byrne wrote:
I see many entries in /var/log/secure similar to these:
. . . /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password for root from 93.89.144.31 port 60100 ssh2 /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password for root from 93.89.144.31 port 60962 ssh2 /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password for root from 93.89.144.31 port 33612 ssh2 /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password for root from 93.89.144.31 port 34504 ssh2 . . .
As you can see, the ports are not those associated with the service requested. SSHD is configured to listen on the standard port (22) and only on a single IP address that is supposed to be reachable only from the internal network (this is a multi-homed system configured as a gateway).
Those are the *source ports* from the attacking host, not the destination port on which you are running SSH. I /assume/ the number enclosed in '[]' to be the pid of the sshd instance associated with the connection attempt.
Hope that helps.