Home / ubuntu / Questions / 1022219
In Process
Andreas Firewolf
Asked: 2018-04-06 02:56:48 +0800 CST

ufw closed port in auth.log

  • 772

UFW blocks all incoming ports, except a few that I opened.

In auth.log I see a lot of attempts to get in through closed ports. Like:

Connection closed by 52.167.224.94 port 40030 [preauth]

This port should be closed by UFW. Why does it appear in auth.log? Is this a security risk? Is there a good web page where I can read more about this subject.

security server ufw

1 Answers

  1. 40030 is the client side port, or source port. If I run ssh [email protected], and interrupt the login before sending a password, the following will turn up in the logs:

    Apr  5 16:09:15 example.com sshd[8164]: Connection closed by 192.168.0.1 port 54250 [preauth]

    From the beginning, there's the timestamp, the machines name (example.com), which daemon[pid of daemon]: what happened by which client on which port [in which stage]

    So this was a connection from 52.167.224.94, remote port 40030, probably to sshd on your machine, that were closed by the remote end during pre-authentication.

    The port range the connection comes from is called ephemeral ports, and vary a bit by OS, but is generally >25000.

    When you quote log lines, include the whole line. If there's any private info, redact it and indicate that it's redacted.

    • 0