Possible UFW issue
I have a server that just servers http content, (LA, no MP).
I have UFW set to only allow ports 22, 80, and 123.
Fail2Ban is installed, login from root disallowed, my login is with keyfile.
In the logwatch report, I am seeing entries for ports that should be blocked:
Unmatched Entries
message repeated 5 times: [ Failed password for root from 117.21.226.64 port 1888 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 117.21.225.154 port 4519 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 202.109.143.16 port 4461 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 222.187.221.152 port 3454 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 222.186.34.119 port 4574 ssh2] : 1 time(s)
What am I missing?
If those ports are blocked by UFW, why am I seeing failed login attempts for those ports?
If I test for open ports remotely, I show that they are filtered and not open, as I would expect.
I am not overly concerned, because they are getting stopped by Fail2Ban, and I am the only one with the keyfile, but still this doesn't seem right.
Any assistance on what might be going on is appreciated.
Thanks!
John
2 Replies
Thank you.
John