Hello:

I have a server that just servers http content, (LA, no MP).

I have UFW set to only allow ports 22, 80, and 123.

Fail2Ban is installed, login from root disallowed, my login is with keyfile.

In the logwatch report, I am seeing entries for ports that should be blocked:

**Unmatched Entries**
message repeated 5 times: [ Failed password for root from 117.21.226.64 port 1888 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 117.21.225.154 port 4519 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 202.109.143.16 port 4461 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 222.187.221.152 port 3454 ssh2] : 1 time(s)
message repeated 5 times: [ Failed password for root from 222.186.34.119 port 4574 ssh2] : 1 time(s)


What am I missing?
If those ports are blocked by UFW, why am I seeing failed login attempts for those ports?
If I test for open ports remotely, I show that they are filtered and not open, as I would expect.

I am not overly concerned, because they are getting stopped by Fail2Ban, and I am the only one with the keyfile, but still this doesn't seem right.

Any assistance on what might be going on is appreciated.

Thanks!

John

Those will be the source ports

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I didn't think about those being on the source end.

Thank you.

John