My ssh daemon is setup to listen on port 2221. I have also disabled root login from ssh.
I don't understand why in auth.log
I see attempts to log on other ports (example with 4627 here).
May 17 15:36:04 srv01 sshd[21682]: PAM service(sshd) ignoring max retries; 6 > 3
May 17 15:36:08 srv01 sshd[21706]: User root from 218.10.19.134 not allowed because none of user's groups are listed in AllowGroups
May 17 15:36:08 srv01 sshd[21706]: input_userauth_request: invalid user root [preauth]
May 17 15:36:10 srv01 sshd[21706]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.10.19.134 user=root
May 17 15:36:12 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:15 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:17 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:19 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:24 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:27 srv01 sshd[21706]: Failed password for invalid user root from 218.10.19.134 port 4627 ssh2
May 17 15:36:27 srv01 sshd[21706]: Disconnecting: Too many authentication failures for root [preauth]
SSHD is supposed to take these tries into account. Why do the logs say user/password is not matching whereas it shouldn't receive the request (wrong port)? Am I missing something?
Best Answer
The logs tell you:
Someone with the IP
218.10.19.134
and from port4627
was trying several times to login as user root with a password. But:invalid
anyway, the logs is just informing you of the login attemptspassword
authentication (not public key or anything else)4627
, the destination port was2221
(not written into the logs, as sshd is only listening to2221
, any other attempts on other ports aren’t noticed by sshd)disconnecting
the tcp connectionYou’ll find all the highlighted words of my answer in your logs, except for the
2221
.