James B. Byrne wrote: > I see many entries in /var/log/secure similar to these: > [...] > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway). > [...] > My confusion is over why these things are making it into the logs at > all when sshd does not listen on those ports and the ports > themselves are supposed to inaccessible through the firewall. There > presence inoculates a doubt in my mind that things are properly > configured. > > I would appreciate any insight as to why these attempts are > nonetheless logged by sshd You are mis-interpreting the log entries. The port shown is the remote port not your local port. When a SSH connection is set up you have something like: remote_address:some_high_port <-> local_address:22 What you are seeing in the log is the 'some_high_port' of the remote address. It's a normal part of a TCP connection. If your brute force protection is not catching the repeated login failures, you should check its configuration. -- Benjamin Franz