0

I activated the ufw on my ubuntu 18 server. After resetting to defaults, deny all incomming, I opened port 22, 80 and 443 and enabled the logging. In the ufw log, I can see a lot of blocked request.

But I don't understand, that I can find failed login entries on ports, which should be blocked, in the auth.log:


Apr 10 18:00:48 servername sshd[18703]: Disconnected from invalid user netapp 177.12.xxx.xxx port 37493 [preauth]
Apr 10 18:00:48 servername sshd[18703]: Received disconnect from 177.12.xxx.xxx port 37493:11: Bye Bye [preauth]        
Apr 10 18:00:47 servername sshd[18703]: Failed password for invalid user netapp from 177.12.xxx.xxxport 37493 ssh2
Apr 10 18:00:45 servername sshd[18703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.12.xxx.xxx

I my opinion, the firewall should disable logins on these ports (i.e. 37493)

Can someone bring some light in here for me?

Thanks a lot

Quercode
  • 1
  • You are interpreting the logs incorrectly. You opened port 22 (which is where sshd typically lives) on the firewall. The log messages are a failed login attempt to sshd. The port (i.e. 37493) listed in the error message is the source of the connection, not the destination. –  Apr 10 '20 at 18:28
  • 1
    This makes sense. Thank you very much for clarification. – Quercode Apr 10 '20 at 19:50

0 Answers0