[CentOS] IPTABLEs and port scanning

Tue Jan 5 16:46:39 UTC 2010
Robert Nichols <rnicholsNOSPAM at comcast.net>

James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
> 
> . . .
> /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
> for root from 93.89.144.31 port 60100 ssh2
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
> for root from 93.89.144.31 port 60962 ssh2
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
> for root from 93.89.144.31 port 33612 ssh2
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from 93.89.144.31 port 34504 ssh2
> . . .
> 
> As you can see, the ports are not those associated with the service
> requested.  SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
[SNIP]
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall.  There
> presence inoculates a doubt in my mind that things are properly
> configured.

Those port numbers (60100, 60962, 33612, 34504) are source ports, not
destination ports.  As for why they are getting through your firewall
and being seen by sshd, a thorough review of your firewall rules would
be needed to determine that.  Indeed, it is quite doubtful that things
are properly configured.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.