Join Log in
Score:2
Ouss avatar Server

DigitalOcean Network Firewall allowing SSH connections on ports other than only 22

cn flag
Ouss

I have a droplet on DigitalOcean with IPv4 and IPv6 enabled. The droplet is behind a digital ocean network firewall with the following rules:

Inbound:

  • SSH TCP 22 All IPv4, All IPv6
  • HTTP TCP 80 All IPv4, All IPv6
  • HTTP TCP 443 All IPv4, All IPv6

Outbound:

  • ICMP ICMP All IPv4 All IPv6
  • All TCP TCP All ports All IPv4 All IPv6
  • All UDP UDP All ports All IPv4

My understanding and expectation is that will block all ssh attempts on ports other than port 22. However when checking the sshd unit in systemd journal. I see the following entries:

2022-12-29 03:00:32 Disconnected from invalid user antonio 43.153.179.44 port 45614 [preauth]
2022-12-29 03:00:32 Received disconnect from 43.153.179.44 port 45614:11: Bye Bye [preauth]
2022-12-29 03:00:31 Invalid user antonio from 43.153.179.44 port 45614
2022-12-29 02:58:37 Disconnected from invalid user desliga 190.129.122.3 port 1199 [preauth]
2022-12-29 02:58:37 Received disconnect from 190.129.122.3 port 1199:11: Bye Bye [preauth]
2022-12-29 02:58:37 Invalid user desliga from 190.129.122.3 port 1199

and many more of these lines, which means the firewall is not blocking ssh connections on ports other than 22.

The following graph shows the number of ssh connections to ports other than 22 in the last hour. The connections are reduced with enabling the Network Filter, but they not diminished.

enter image description here

Could it be that the Network Firewall of DigitalOcean is broken?

What am I missing?

Anyone is seeing the same situation on their infrastructure?

1535
2 + 2
ssh
GACy20 avatar
md
GACy20
That's the **source** port, not the destination port.
7
Reply
Ouss avatar
cn flag
Ouss
Yes. I misunderstood the log messages. thank you for the comment! very helpful!
0
Reply
Score:10
dexter avatar Server
ru flag
dexter

Services are listening on certain port, e.g. sshd on port 22 by default. It means that if there is ssh client request to establish connection on the port other than 22 it would not be heard by the sshd service at all. There would be no trace in the log file for sshd for this request. In this case, that requests are actually coming on the port 22. What does Invalid user antonio from 43.153.179.44 port 45614 means actually?

  1. There was ssh client request to connect as user antonio, which does not exist on the system
  2. Request came from the IP address 43.153.179.44
  3. Port number of the ssh client used for connection was 45614, it is the port number on the client side not on your droplet.

Could it be that the Network Firewall of DigitalOcean is broken?

This is very unlikely.

+ 1
Ouss avatar
cn flag
Ouss
Ah that's the port number where the connection was initiated. Very very helpful thank you
0
Reply
Score:7
vidarlo avatar Server
ar flag
vidarlo

First of all, your ssh daemon is not listening on any port but 22. So noone can connect to it on a port different from port 22. For a connection to succeed, it has to be allowed by firewall, and something has to be waiting to receive the packet - listening on the port in tech parlance.

Furthermore, the firewall probably doesn't look at what's inside packets. It goes by port numbers only, and 22 is the reserved port for ssh, so it shows that it allows ssh.

A TCP connection consists of four identifiers:

  1. Source IP
  2. Source port
  3. Destination IP
  4. Destination port

The ports and IP shown in your logs is the source IP and source port. These are the so-called ephemeral ports, that's randomly assigned to a process that wants to make an outgoing connection.

+ 1
Ouss avatar
cn flag
Ouss
Ah that's the source port number... not the port number on my droplet...I was misunderstanding the log messages... Very very helpful thank you!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.