[CentOS] IPTABLEs and port scanning
Benjamin Franz
jfranz at freerun.comTue Jan 5 16:49:28 UTC 2010
- Previous message: [CentOS] IPTABLEs and port scanning
- Next message: [CentOS] IPTABLEs and port scanning
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
James B. Byrne wrote: > I see many entries in /var/log/secure similar to these: > [...] > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway). > [...] > My confusion is over why these things are making it into the logs at > all when sshd does not listen on those ports and the ports > themselves are supposed to inaccessible through the firewall. There > presence inoculates a doubt in my mind that things are properly > configured. > > I would appreciate any insight as to why these attempts are > nonetheless logged by sshd You are mis-interpreting the log entries. The port shown is the remote port not your local port. When a SSH connection is set up you have something like: remote_address:some_high_port <-> local_address:22 What you are seeing in the log is the 'some_high_port' of the remote address. It's a normal part of a TCP connection. If your brute force protection is not catching the repeated login failures, you should check its configuration. -- Benjamin Franz
- Previous message: [CentOS] IPTABLEs and port scanning
- Next message: [CentOS] IPTABLEs and port scanning
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list