PF Why am I seeing failed ssh auth attempts on high ports when I have pf enabled?

[GlenH]

My pf rules:

ext_if = "{ em0, wlan0, tailscale0 }"

ssh_ports = "22"
mosh_ports = "60000:61000"
smb_ports = "{ 137, 138, 139, 445 }"
ipp_ports = "{ 631, 80, 443, 9100 }"

set skip on lo0
block all

# Allow inbound SSH
pass in quick on $ext_if proto tcp from any to any port $ssh_ports keep state

# Allow inbound mosh
pass in quick on $ext_if proto udp from any to any port $mosh_ports keep state

# Allow inbound SMB/CIFS
pass in quick on $ext_if proto tcp from any to any port $smb_ports keep state
pass in quick on $ext_if proto udp from any to any port $smb_ports keep state

pass out proto {tcp udp } to port { 22, 53, 80, 123, 137, 138, 443 }
pass out inet proto icmp icmp-type { echoreq }
pass out proto udp to port {53, 123 }

# Allow Internet Printing
pass in on $ext_if proto {tcp, udp} from any to any port $ipp_ports keep state
pass out on $ext_if proto { tcp, udp } from any to any port $ipp_ports keep state

in /var/log/auth.log I am seeing a lot of warnings similar to the following:

Aug  9 03:06:26 glen-server sshd-session[5542]: Invalid user user from 218.201.250.120 port 51318
Aug  9 03:06:26 glen-server sshd-session[5542]: Connection closed by invalid user user 218.201.250.120 port 51318 [preauth]
Aug  9 03:06:57 glen-server sshd-session[5552]: Invalid user user from 218.201.250.120 port 11243
Aug  9 03:06:59 glen-server sshd-session[5552]: Connection closed by invalid user user 218.201.250.120 port 11243 [preauth]
Aug  9 03:07:31 glen-server sshd-session[5655]: Invalid user user from 218.201.250.120 port 26951
Aug  9 03:07:31 glen-server sshd-session[5655]: Connection closed by invalid user user 218.201.250.120 port 26951 [preauth]
Aug  9 03:08:04 glen-server sshd-session[5677]: Invalid user user from 218.201.250.120 port 41969
Aug  9 03:08:05 glen-server sshd-session[5677]: Connection closed by invalid user user 218.201.250.120 port 41969 [preauth]
Aug  9 03:08:36 glen-server sshd-session[5679]: Invalid user user from 218.201.250.120 port 57555
Aug  9 03:08:36 glen-server sshd-session[5679]: Connection closed by invalid user user 218.201.250.120 port 57555 [preauth]
Aug  9 03:09:08 glen-server sshd-session[5682]: Invalid user user from 218.201.250.120 port 15562
Aug  9 03:09:08 glen-server sshd-session[5682]: Connection closed by invalid user user 218.201.250.120 port 15562 [preauth]

Apparently I'm confused; I thought that given my ruleset, pf would block incoming ssh auth requests on these ports. No?

 

[Eric A. Borisch]

Those are the ephemeral port numbers on the far (originating) side of the TCP connection. Completely normal.

 

[SirDice]

The source port of a TCP/UDP/ICMP connection is typically a random high port number.

 

[JordanG]

This rule passes the ssh traffic that is a cause of concern for the OP:

pass in quick on $ext_if proto tcp from any to any port $ssh_ports keep state

sshd by default listens for connections on a well-known port which is port 22. If you change it to listen on a non-standard port, you'll see much less hacking attempts logged.

 

[GlenH]

Ahh. That makes sense. Thanks!