/ Register

Join the community today
Register Now

Understanding the port numbers in lfd notifications

Discussion in 'Other Centmin Mod Installed software' started by deltahf, Jul 15, 2018.

Tags:
Previous Thread Next Thread
Loading...
  1. Jul 15, 2018 #1
    deltahf

    deltahf Premium Member Premium Member

    518
    230
    43
    Jun 8, 2014
    Ratings:
    +412
    Local Time:
    4:03 AM
    I am confused by the port numbers shown in the notification messages generated by lfd. Here's two examples:

    Code:
    Time:     Sat Jul 14 17:51:04 2018 +0000
IP:       distributed sshd attack on account [admin]
Failures: 5
Interval: 3600 seconds
Blocked:  Permanent Block [LF_DISTATTACK]

Log entries:

Jul 14 17:50:45 hv sshd[31767]: Invalid user admin from 41.238.149.99 port 59438
Jul 14 17:50:47 hv sshd[31767]: Failed password for invalid user admin from 41.238.149.99 port 59438 ssh2
Jul 14 17:50:51 hv sshd[31773]: Invalid user admin from 111.164.52.201 port 56595
Jul 14 17:50:54 hv sshd[31773]: Failed password for invalid user admin from 111.164.52.201 port 56595 ssh2
Jul 14 17:50:58 hv sshd[31775]: Invalid user admin from 186.251.162.132 port 48700

IP Addresses Blocked:

41.238.149.99 (EG/Egypt/host-41.238.149.99.tedata.net)
111.164.52.201 (CN/China/dns201.online.tj.cn)
186.251.162.132 (BR/Brazil/186-251-162-132.infotecrs.net.br)
    Code:
    Time:     Sat Jul 14 19:54:06 2018 +0000
IP:       218.65.30.25 (CN/China/25.30.65.218.broad.xy.jx.dynamic.163data.com.cn)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Jul 14 19:53:46 hv sshd[2916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.25  user=root
Jul 14 19:53:48 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
Jul 14 19:53:51 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
Jul 14 19:53:53 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
Jul 14 19:53:56 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
    I'm not running any services on 22894, 59438, 56595, or 48700. The ports are closed by csf, and ssh is running on default port 22.

    How could these attackers even attempt to authenticate with the ssh daemon on these seemingly random ports?
     
  2. Jul 15, 2018 #2
    eva2000

    eva2000 Administrator Staff Member

    48,417
    11,099
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,274
    Local Time:
    6:03 PM
    Nginx 1.21.x
    MariaDB 10.x
    You're seeing the attacker's source port reported - that isn't the port they're targeting. It's the port on attacker's PC/server connecting to yours.

    That's usually how it works, try from another server to ssh into your centminmod server via command line with incorrect password /ports and see what happens. CSF Firewall will block you same way telemarketers cold call customers, try every number they can just doesn't mean they can connect to a person on the other end :)

    example recursive grep of bad ip 183.230.146.26 for /var/log/secure and /var/log/lfd.log logs
    Code (Text):
    cd /var/log
grep -rn 183.230.146.26 | grep -A10 'Invalid user admin from 183.230.146.26' | sed -e "s|$(hostname)|hostname|g"

secure:4184:Jul 14 19:06:54 hostname sshd[2253]: Invalid user admin from 183.230.146.26 port 38298
secure:4187:Jul 14 19:06:54 hostname sshd[2253]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.230.146.26
secure:4188:Jul 14 19:06:56 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4190:Jul 14 19:06:58 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4192:Jul 14 19:07:00 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4194:Jul 14 19:07:02 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4196:Jul 14 19:07:04 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4198:Jul 14 19:07:06 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
secure:4199:Jul 14 19:07:06 hostname sshd[2253]: error: maximum authentication attempts exceeded for invalid user admin from 183.230.146.26 port 38298 ssh2 [preauth]
secure:4201:Jul 14 19:07:06 hostname sshd[2253]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.230.146.26
lfd.log:980:Jul 14 19:07:12 hostname lfd[2257]: (sshd) Failed SSH login from 183.230.146.26 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
     
Previous Thread Next Thread
Loading...

.