• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Why is my auth.log showing totally weird port numbers for succesfull ssh connections?

dnv

New Member


Messages: 6

#1
This is a FreeBSD 11.1 system with sshd running on the default port 22. It is running from behind a router that accepts connections to port 10000 and then directs them to the FreeBSD system’s IP and port 22 and uses only keys for auth (passwords logins are disabled). Why is my auth.log showing totally weird ports for successfull ssh connections? Regardless of whether I connect from within the local network or from the outside world through the router and it’s port forwarding. I am seeing logs show these connection as happening on ports like 53815, 61990, 52997 and the like. What’s going on?
 

Eric A. Borisch

Well-Known Member

Thanks: 200
Messages: 308

#2
Those are the ephemeral ports on the client end of the TCP connection that you’re seeing. They should all be logged as ~ “disconnect from xxx.xxx.xxx.xxx port nnnnn” where the IP address (and port) are from the client side.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,773
Best answers: 3
Messages: 26,272

#3
The source port is always a random port. This is inherent for almost all TCP connections.