Welcome to Centmin Mod Community
Register Now

Understanding the port numbers in lfd notifications

Discussion in 'Other Centmin Mod Installed software' started by deltahf, Jul 15, 2018.

Tags:
  1. deltahf

    deltahf Premium Member Premium Member

    362
    170
    43
    Jun 8, 2014
    Ratings:
    +278
    Local Time:
    11:06 PM
    I am confused by the port numbers shown in the notification messages generated by lfd. Here's two examples:

    Code:
    Time:     Sat Jul 14 17:51:04 2018 +0000
    IP:       distributed sshd attack on account [admin]
    Failures: 5
    Interval: 3600 seconds
    Blocked:  Permanent Block [LF_DISTATTACK]
    
    Log entries:
    
    Jul 14 17:50:45 hv sshd[31767]: Invalid user admin from 41.238.149.99 port 59438
    Jul 14 17:50:47 hv sshd[31767]: Failed password for invalid user admin from 41.238.149.99 port 59438 ssh2
    Jul 14 17:50:51 hv sshd[31773]: Invalid user admin from 111.164.52.201 port 56595
    Jul 14 17:50:54 hv sshd[31773]: Failed password for invalid user admin from 111.164.52.201 port 56595 ssh2
    Jul 14 17:50:58 hv sshd[31775]: Invalid user admin from 186.251.162.132 port 48700
    
    IP Addresses Blocked:
    
    41.238.149.99 (EG/Egypt/host-41.238.149.99.tedata.net)
    111.164.52.201 (CN/China/dns201.online.tj.cn)
    186.251.162.132 (BR/Brazil/186-251-162-132.infotecrs.net.br)
    
    Code:
    Time:     Sat Jul 14 19:54:06 2018 +0000
    IP:       218.65.30.25 (CN/China/25.30.65.218.broad.xy.jx.dynamic.163data.com.cn)
    Failures: 5 (sshd)
    Interval: 3600 seconds
    Blocked:  Permanent Block [LF_SSHD]
    
    Log entries:
    
    Jul 14 19:53:46 hv sshd[2916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.25  user=root
    Jul 14 19:53:48 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
    Jul 14 19:53:51 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
    Jul 14 19:53:53 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
    Jul 14 19:53:56 hv sshd[2916]: Failed password for root from 218.65.30.25 port 22894 ssh2
    I'm not running any services on 22894, 59438, 56595, or 48700. The ports are closed by csf, and ssh is running on default port 22.

    How could these attackers even attempt to authenticate with the ssh daemon on these seemingly random ports?
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    1:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You're seeing the attacker's source port reported - that isn't the port they're targeting. It's the port on attacker's PC/server connecting to yours.

    That's usually how it works, try from another server to ssh into your centminmod server via command line with incorrect password /ports and see what happens. CSF Firewall will block you same way telemarketers cold call customers, try every number they can just doesn't mean they can connect to a person on the other end :)

    example recursive grep of bad ip 183.230.146.26 for /var/log/secure and /var/log/lfd.log logs
    Code (Text):
    cd /var/log
    grep -rn 183.230.146.26 | grep -A10 'Invalid user admin from 183.230.146.26' | sed -e "s|$(hostname)|hostname|g"
    
    secure:4184:Jul 14 19:06:54 hostname sshd[2253]: Invalid user admin from 183.230.146.26 port 38298
    secure:4187:Jul 14 19:06:54 hostname sshd[2253]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.230.146.26
    secure:4188:Jul 14 19:06:56 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4190:Jul 14 19:06:58 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4192:Jul 14 19:07:00 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4194:Jul 14 19:07:02 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4196:Jul 14 19:07:04 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4198:Jul 14 19:07:06 hostname sshd[2253]: Failed password for invalid user admin from 183.230.146.26 port 38298 ssh2
    secure:4199:Jul 14 19:07:06 hostname sshd[2253]: error: maximum authentication attempts exceeded for invalid user admin from 183.230.146.26 port 38298 ssh2 [preauth]
    secure:4201:Jul 14 19:07:06 hostname sshd[2253]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.230.146.26
    lfd.log:980:Jul 14 19:07:12 hostname lfd[2257]: (sshd) Failed SSH login from 183.230.146.26 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]