James B. Byrne wrote: > I see many entries in /var/log/secure similar to these: > > . . . > /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password > for root from 93.89.144.31 port 60100 ssh2 > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password > for root from 93.89.144.31 port 60962 ssh2 > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password > for root from 93.89.144.31 port 33612 ssh2 > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway). [SNIP] > My confusion is over why these things are making it into the logs at > all when sshd does not listen on those ports and the ports > themselves are supposed to inaccessible through the firewall. There > presence inoculates a doubt in my mind that things are properly > configured. Those port numbers (60100, 60962, 33612, 34504) are source ports, not destination ports. As for why they are getting through your firewall and being seen by sshd, a thorough review of your firewall rules would be needed to determine that. Indeed, it is quite doubtful that things are properly configured. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.