James B. Byrne wrote:
I see many entries in /var/log/secure similar to these: [...] /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password for root from 93.89.144.31 port 34504 ssh2 . . .
As you can see, the ports are not those associated with the service requested. SSHD is configured to listen on the standard port (22) and only on a single IP address that is supposed to be reachable only from the internal network (this is a multi-homed system configured as a gateway). [...] My confusion is over why these things are making it into the logs at all when sshd does not listen on those ports and the ports themselves are supposed to inaccessible through the firewall. There presence inoculates a doubt in my mind that things are properly configured.
I would appreciate any insight as to why these attempts are nonetheless logged by sshd
You are mis-interpreting the log entries. The port shown is the remote port not your local port. When a SSH connection is set up you have something like:
remote_address:some_high_port <-> local_address:22
What you are seeing in the log is the 'some_high_port' of the remote address. It's a normal part of a TCP connection.
If your brute force protection is not catching the repeated login failures, you should check its configuration.