Home / server / Questions / 650227
Accepted
Miloš Đakonović
Asked: 2014-12-10 03:59:03 +0800 CST

ssh key authentication - port other than 22 involved

  • 772

I've noted this entry in auth.log

Accepted publickey for myuser from ip_address port 51150 ssh2

That entry corresponds with my ssh-key-based login event. SSH is listening to default port - 22.

What is the role of logged port 51150 and does it mean I cannot use restrictive iptables settings that blocks all traffic incoming to ports other than ones that I have previously specified (like 20,21,25,80,443,143...)

ssh

1 Answers

  1. Best Answer

    The port number shown is the ephemeral client-side port number, corresponding to the source port as seen by the SSH server. Server-side, all ssh connections are to port 22.

    Here's me sshing into my colo'ed server, and confirming the port listed in the relevant syslog file:

    odessa% ssh www.teaparty.net
[...]
[me@lory ~]$ tail -2 /var/log/facility/authpriv 
Dec  9 12:36:26 lory sshd[16793]: Accepted publickey for me from 78.46.204.154 port 58212 ssh2
Dec  9 12:36:27 lory sshd[16793]: pam_unix(sshd:session): session opened for user me by (uid=0)

    And here's the output from the client showing the connection:

    odessa% netstat -an|grep 22|grep 58212
tcp        0      0 78.46.204.154:58212         178.18.123.145:22           ESTABLISHED

    As you can see, the port number server-side is 22, as expected. It is the client-side port number that is 58212. Miloshio, since most iptables rules to permit access to services look something like

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    they are unaffected by the change in source-port number from client to client, as they only care about destination port number. Only if you were to write a rule like

    iptables -A INPUT -p tcp --dport 22 --sport 58212 -j ACCEPT

    would it need changing for each new client - which is why you'd have to be insane to do that, and no-one does.

    • 3