Possible UFW issue

Hello:

I have a server that just servers http content, (LA, no MP).

I have UFW set to only allow ports 22, 80, and 123.

Fail2Ban is installed, login from root disallowed, my login is with keyfile.

In the logwatch report, I am seeing entries for ports that should be blocked:

Unmatched Entries

message repeated 5 times: [ Failed password for root from 117.21.226.64 port 1888 ssh2] : 1 time(s)

message repeated 5 times: [ Failed password for root from 117.21.225.154 port 4519 ssh2] : 1 time(s)

message repeated 5 times: [ Failed password for root from 202.109.143.16 port 4461 ssh2] : 1 time(s)

message repeated 5 times: [ Failed password for root from 222.187.221.152 port 3454 ssh2] : 1 time(s)

message repeated 5 times: [ Failed password for root from 222.186.34.119 port 4574 ssh2] : 1 time(s)

What am I missing?

If those ports are blocked by UFW, why am I seeing failed login attempts for those ports?

If I test for open ports remotely, I show that they are filtered and not open, as I would expect.

I am not overly concerned, because they are getting stopped by Fail2Ban, and I am the only one with the keyfile, but still this doesn't seem right.

Any assistance on what might be going on is appreciated.

Thanks!

John

2 Replies

Those will be the source ports

I didn't think about those being on the source end.

Thank you.

John

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct