Wrong Incoming Ssh Ports In /var/log/auth.log ?

Hello,
I am using my raspberry pi with Linux 3.18+ installed. I changed the default ssh port from 22 to 16022. This is my sshd_config file:
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
#Port 22
Port 16022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2

PAM auth is disabled and I only login using password. Now, I checked the authentication log file: /var/log/auth.log. This is a snippet of what it contains:
Quote:
Apr 23 23:44:55 raspberrypi sshd[6473]: Accepted password for pi from 50.252.93.50 port 51978 ssh2
Apr 23 23:52:22 raspberrypi sshd[6477]: Received disconnect from 50.252.93.50: 11: Normal Shutdown
May 5 01:51:02 raspberrypi sshd[4551]: Accepted password for pi from 50.153.109.28 port 30222 ssh
May 5 09:43:47 raspberrypi sshd[6033]: Accepted password for pi from 50.153.110.150 port 21551 ssh2
May 5 09:43:53 raspberrypi sshd[6039]: Received disconnect from 50.153.110.150: 11: Normal Shutdown
May 5 14:09:23 raspberrypi sshd[6783]: Accepted password for pi from 50.153.109.23 port 28684 ssh
May 5 14:32:43 raspberrypi sshd[7008]: Accepted password for pi from 50.153.109.23 port 28689 ssh
May 5 14:37:21 raspberrypi sshd[7014]: Received disconnect from 50.153.109.23: 11: Normal Shutdow
May 8 02:01:41 raspberrypi sshd[24468]: Accepted password for pi from 50.153.110.150 port 30862 ssh2
How is this possible? Why is it showing these random ports for ssh?

This is what 'sudo netstat -nlp' gives:
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      7923/0
tcp        0      0 0.0.0.0:16022           0.0.0.0:*               LISTEN      2501/sshd
udp        0      0 0.0.0.0:37851           0.0.0.0:*                           2019/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           2192/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           2019/dhclient
udp        0      0 192.168.1.82:123        0.0.0.0:*                           2419/ntpd
udp        0      0 192.168.1.78:123        0.0.0.0:*                           2419/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           2419/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2419/ntpd
udp        0      0 0.0.0.0:44953           0.0.0.0:*                           2192/dhclient
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     3880     168/udevd           /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8018     2341/dbus-daemon    /var/run/dbus/system_bus_socket

Plus, I am accessing my machine from outside my home network. My router is configured to block all ports, except 16022, whose tcp traffic is forwarded to my raspberry pi. So I don't understand why the log file has these weird ports listed.


Similar Content



Selinux On Ubuntu Server

Hi All,

Please can someone assist me on this, I enabled Selinux on Ubuntu 14.04 server and it's disabling ssh remote login for all users including root.

From the ssh terminal I get the following error:

ssh root@192.168.x.x
Last login: Wed Mar 25 12:39:02 2015 from 192.168.x.x
/bin/bash: Permission denied
Connection to 192.168.211.135 closed.


tail /var/log/auth.log

ubuntu sshd[1640]: Accepted password for root from 192.168.x.x port 51082 ssh2

ubuntu sshd[1642]: Accepted password for root from 192.168.x.x port 51089 ssh2

ubunt sshd[1640]: Received disconnect from 192.168.x.x: disconnected by user

audit2allow --all

sshd_t

This avc is a constraint violation. you would need to modify the attribute of either the source or target types to allow this access.

possible cause is the source user (system_u) and target user (unconfined_u) are different.

possible cause is the source role (system_r) and target role (unconfined_r) are different.

possible cause is the source level (s0) and target level (s0-s0:c0.c255) are different.

allow sshd_t unconfined_trocess transition.

Please how can I make this changes to take effect.

Thanks in advance.

Unable To Access Ssh Anywhere On Port 22

Hi I'am newbie here,can somebody help me to fix accessing port 22 using ssh anywhere. Please see the sshd_config below:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility LOCAL3
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
AllowUsers root

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Inetd Listening But No Connection (ftp/Telnet)

Hello,

I try to use a ftp daemon and a Telnet daemon with inetd and the BusyBox v1.19.0 on a linux 2.6.24.

When running inetd and then checking what is listening with "netstat -an |grep LISTEN" i have :
Code:
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN

ftp port 21 and Telnet port 23 seems to be listening.

My inetd.conf file is :

Code:
#<service_name>    <sock_type>    <proto>    <flags> <user>     <server_path>     <args> 

21 stream tcp nowait root ftpd ftpd /etc
telnet            stream        tcp        nowait    root    /usr/sbin/telnetd

I have no rule in my hosts.deny so nothing should be stopped and i have no iptables firewall in place too.

When typing "ftp://ipofthetarget" in a web browser i have a error :

Code:
504 Gateway Timeout
Gateway timeout expired while waiting for server response.

And when trying to Telnet from another computer or "Telnet localhost" from the board i have :
Code:
# telnet 10.2.29.201
Trying 10.2.29.201...
connected to 10.2.29.201.
Escape character is '^]'

Connection closed by foreign host.

This would mean that the connection for Telnet exist but why is it closing ?

Thank you for your future answers !

UPDATE 1 :
If i try to run telnetd like this :
/usb/sbin/telnet -l /bin/sh
i can connect anonymously from another computer, not perfect because i would like a user/password but still of use.
The problem with the ftp daemon still exist.

UPDATE 2 :
Trying from Windows cmd or linux terminal : ftp ipofthetarget seems to work
Not perfect because i would like a user/password too but still of use.

I am still open for suggestion for the user/password thing. I am not deleting the thread in case someone interested about this exist.

What Does Ps Aux | Egrep......mean?

Hey guys well, i killed a user that was ssh into my machine and a googled how to do it, however the command that I used to find he PID was

ps aux | egrep "sshd: [a-zA-Z]+@"

why not just use ps aux | grep sshd?

also can someone decipher what ps aux | egrep "sshd: [a-zA-Z]+@" means? I am not that advanced to understand what I googled on that? Also, is there a good tutorial to teach you those commands in depth like that? And what are they called? the (egrep "sshd: [a-zA-Z]+@") part.

Limit SSH User Based On Local IP Address?

I suspect this is not possible but I'll ask.

For machine where SSHd is listening on multiple IP addresses, is it possible to block certain users logging in based on the IP address they are connecting to?

Example:
Listening on 1.2.3.4 and 5.6.7.8
User amir should be allowed to log in on 1.2.3.4 but NOT 5.6.7.8
User mary is allowed on 5.6.7.8 but not on 1.2.3.4

Again, these are the IP addresses the user is connecting TO not FROM.

I think I could do this by running multiple sshd instances but can I do it with a single one?

How To Identify An Ephemeral Port

Hi all,

I understand that Linux by default will limit its Ephemeral port allocation between 32768 to 61000.

I need to identify the applications running on my box (around 500 of them) which are intentionally using a port which happens to be in Ephemeral port range. Objective is to get a list of those apps and flag it so that the developers get to know of it and change their application port.

When I run netstat -nap to get a list of listen ports, I am unable to figure out if the port in Ephemeral range is actually allocated by OS or one of my apps has done it.


Thanks,
linux_it_is

Redhat SSH Access

Hello all,

I´m in trouble trying to access a server via ssh and root access but had no success so far.
The interesting thing is when I do /usr/sbin/sshd -d -p 2222 and try to connect on 2222 port I can do that. But if I try on port 22 no success.

following my sshd_conf. Any help will be appreciated:


# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

New Password Not Working In Software Centre.

Hi, I forgot my password so went into root to change it.

From grub menu, Ubuntu : advanced options : ubuntu recovery : network : root

input passwd then typed in a new password and re-entered password. rebooted.

Tried to uninstall Firefox from software centre but the new password was not accepted for authentication.

Could anyone advise what the problem could be or suggest what I may have done wrong. The password appeared to be accepted ok in root. Thanks

Trouble Configuring Vsftp

Using a Raspberry Pi w/ Debian

Read the manual and several "how-to"s and am getting nowhere

vsftp is running and making a log file. I can get to the Pi with putty or SAMBA

Ultimately want to be able to both(I) ftp in under the "pi" user to access files remotely and (II) have people sending me huge files ftp them in anonymously

Have tried (I) the ftp client in Windows 7 Internet explorer 11, (ii) the ftp client in the Windows 7 "map network drive" UI, and (iii) ES file explorer on my Android phone.

The android phone tells me there is no server there. Windows 7 gets no password challenge, gives no error indication, but does nothing useful. The vsftpd log file shows some attempt by the Windows machine, nothing for the Android.

Config file and log file attached.

The Android is trying to use port 21, the config file mentions something about port 20. Which ports do I need to forward in my router to enable remote access?

Any help appreciated.

Thanks. Jonathan

Centos 7 - X11 Forwarding

I've read quite a few articles on this now and I still don't seem to be able to do this so am hoping someone can tell me where I am going wrong...

Background:-
Centos v7 running in a VM
Cygwin installed on the desktop (fresh install)

I have amended the sshd_config on the VM to :-
X11Forwarding yes
X11UseLocalhost no
Disabled selinux and restarted the sshd daemon.

Within cygwin before making the connection I set:-
export DISPLAY=:0
Then run startxwin

Within Xwin.exe I run the following and get the error:-
$ ssh -XY root@192.168.246.130
root@192.168.247.131's password:
X11 forwarding request failed on channel 0
Last login: Tue Jun 2 20:40:44 2015 from 192.168.246.10

Is it something I'm missing?
I'll admit X11 is a weak area for me.