[CentOS] IPTABLEs and port scanning

Benjamin Franz jfranz at freerun.com
Tue Jan 5 16:49:28 UTC 2010

James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
> [...]
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from port 34504 ssh2
> . . .
> As you can see, the ports are not those associated with the service
> requested.  SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
> [...]
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall.  There
> presence inoculates a doubt in my mind that things are properly
> configured.
> I would appreciate any insight as to why these attempts are
> nonetheless logged by sshd

You are mis-interpreting the log entries. The port shown is the remote 
port not your local port. When a SSH connection is set up you have 
something like:

remote_address:some_high_port   <-> local_address:22

What you are seeing in the log is the 'some_high_port' of the remote 
address. It's a normal part of a TCP connection.

If your brute force protection is not catching the repeated login 
failures, you should check its configuration.

Benjamin Franz

More information about the CentOS mailing list