auth.log shows sshd login attempt from invalid port - why? how?
by gtalbott from LinuxQuestions.org on (#5MKSH)
I saw an "Illegal users from:" entry in my Logwatch email this morning from some IP address that I did not recognize. This is unusual, first time in a long time since I closed port 22 on my firewall. Trying to dig deeper I grep'ed the IP address in /var/log and found the following:
auth.log:Jul 25 18:28:56 linux2 sshd[2013]: Invalid user ubnt from 185.212.149.205 port 20113
What is bothering me is that sshd is not listening on port 20113! I don't understand how sshd can be reporting a login attempt from a port it is not listening on?
My question is: How can this happen???
Some background:
My firewall blocks (stealths) port 20113 (and port 22) as confirmed by "ShieldsUP!" (grc.com).
sshd is configured to listen on port 22 for local traffic (192.168.254.0/24) and one high numbered port which is port forwarded to my Linux system for my access when traveling.
No one is listening on port 20113 as confirmed by netstat -nl.
Attempting to ssh into the system using -p 20113 results in "Connection refused"
Linux version: Ubuntu 18.04.5 LTS
Router: Frontiern Communications Arris NVG443B Version: 9.3.0h3d36
Additional Question: Is there a bug in reporting the port number in sshd? When investigating the above I connected to my Linux system with ssh and specified my external port number. Then after disconnecting I looked at my auth.log file and found:
Jul 26 10:13:12 linux2 sshd[12546]: pam_unix(sshd:session): session opened for user glenn by (uid=0)
Jul 26 10:13:12 linux2 systemd-logind[1478]: New session 136 of user glenn.
Jul 26 10:13:16 linux2 sshd[12683]: Received disconnect from 192.168.254.2 port 46772:11: disconnected by user
Jul 26 10:13:16 linux2 sshd[12683]: Disconnected from user glenn 192.168.254.2 port 46772
Jul 26 10:13:16 linux2 systemd-logind[1478]: Removed session 136.
Jul 26 10:13:16 linux2 sshd[12546]: pam_unix(sshd:session): session closed for user glenn
The port referenced (46772) is NOT one of the ports that sshd listens on!
If sshd garbles port numbers when logging it could explain my first question.
auth.log:Jul 25 18:28:56 linux2 sshd[2013]: Invalid user ubnt from 185.212.149.205 port 20113
What is bothering me is that sshd is not listening on port 20113! I don't understand how sshd can be reporting a login attempt from a port it is not listening on?
My question is: How can this happen???
Some background:
My firewall blocks (stealths) port 20113 (and port 22) as confirmed by "ShieldsUP!" (grc.com).
sshd is configured to listen on port 22 for local traffic (192.168.254.0/24) and one high numbered port which is port forwarded to my Linux system for my access when traveling.
No one is listening on port 20113 as confirmed by netstat -nl.
Attempting to ssh into the system using -p 20113 results in "Connection refused"
Linux version: Ubuntu 18.04.5 LTS
Router: Frontiern Communications Arris NVG443B Version: 9.3.0h3d36
Additional Question: Is there a bug in reporting the port number in sshd? When investigating the above I connected to my Linux system with ssh and specified my external port number. Then after disconnecting I looked at my auth.log file and found:
Jul 26 10:13:12 linux2 sshd[12546]: pam_unix(sshd:session): session opened for user glenn by (uid=0)
Jul 26 10:13:12 linux2 systemd-logind[1478]: New session 136 of user glenn.
Jul 26 10:13:16 linux2 sshd[12683]: Received disconnect from 192.168.254.2 port 46772:11: disconnected by user
Jul 26 10:13:16 linux2 sshd[12683]: Disconnected from user glenn 192.168.254.2 port 46772
Jul 26 10:13:16 linux2 systemd-logind[1478]: Removed session 136.
Jul 26 10:13:16 linux2 sshd[12546]: pam_unix(sshd:session): session closed for user glenn
The port referenced (46772) is NOT one of the ports that sshd listens on!
If sshd garbles port numbers when logging it could explain my first question.