Why is my auth.log showing totally weird port numbers for succesfull ssh connections?


New Member

Messages: 7

This is a FreeBSD 11.1 system with sshd running on the default port 22. It is running from behind a router that accepts connections to port 10000 and then directs them to the FreeBSD system’s IP and port 22 and uses only keys for auth (passwords logins are disabled). Why is my auth.log showing totally weird ports for successfull ssh connections? Regardless of whether I connect from within the local network or from the outside world through the router and it’s port forwarding. I am seeing logs show these connection as happening on ports like 53815, 61990, 52997 and the like. What’s going on?

Eric A. Borisch

Well-Known Member

Thanks: 210
Messages: 330

Those are the ephemeral ports on the client end of the TCP connection that you’re seeing. They should all be logged as ~ “disconnect from xxx.xxx.xxx.xxx port nnnnn” where the IP address (and port) are from the client side.


Staff member

Thanks: 6,332
Messages: 27,504

The source port is always a random port. This is inherent for almost all TCP connections.