So my server is getting slammed with thousands of SSH login attempts. Fail2ban is catching and banning them – but my inbox it’s worrying me and it filling up inbox with alerts. Here’s a sample of what I’m seeing:
May 28 15:26:09 sshd: input_userauth_request: invalid user test [preauth] May 28 15:26:09 sshd: pam_unix(sshd:auth): check pass; user unknown May 28 15:26:09 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<<SNIPIP>> May 28 15:26:11 sshd: Failed password for invalid user test from <<SNIPIP>> port 41344 ssh2 May 28 15:26:11 sshd: Received disconnect from <<SNIPIP>> port 41344:11: Bye Bye [preauth] May 28 15:26:11 sshd: Disconnected from <<SNIPIP>> port 41344 [preauth]
What’s interesting is when I attempt to connect using something like:
ssh test@myserverip -p 41344
my connection attempt eventually times out and I see no entry in auth.log – which is what I would expect to happen given I’ve locked the machine firewall down via UFW: (sidenote: I’m already running ssh on a non standard port)
ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- Anywhere DENY IN 22.214.171.124 Anywhere DENY IN 126.96.36.199 Anywhere DENY IN 188.8.131.52 Anywhere DENY IN 184.108.40.206 Anywhere DENY IN 220.127.116.11 Anywhere DENY IN 18.104.22.168 Anywhere DENY IN 22.214.171.124 Anywhere DENY IN 126.96.36.199 Anywhere DENY IN 188.8.131.52 22 DENY IN Anywhere 2200/tcp ALLOW IN Anywhere 25/tcp ALLOW IN Anywhere 80,443/tcp (Nginx Full) ALLOW IN Anywhere 2246 ALLOW IN Anywhere 2812 ALLOW IN Anywhere 2247/tcp ALLOW IN Anywhere 19999/tcp ALLOW IN Anywhere 82/tcp ALLOW IN Anywhere 22 (v6) DENY IN Anywhere (v6) 2200/tcp (v6) ALLOW IN Anywhere (v6) 25/tcp (v6) ALLOW IN Anywhere (v6) 80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6) 2246 (v6) ALLOW IN Anywhere (v6) 2812 (v6) ALLOW IN Anywhere (v6) 2247/tcp (v6) ALLOW IN Anywhere (v6) 19999/tcp (v6) ALLOW IN Anywhere (v6) 82/tcp (v6) ALLOW IN Anywhere (v6)
So my main question is, how is it possible that someone is even getting a chance to attempt a login on port 41344 when I can’t?