Im doing something dumb, or missing something. Can anyone spot it please?
I have a tplink archer C7 set to port forward from an external port to port 22 on my internal server for ssh. But I still see external origin activity in auth.log for sshd ports other than 22. This puzzled me, but perhaps the tplink isnt doing port forwarding selectively.
So I added ufw and denied all access, then added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw is running and correctly blocking and logging some internal traffic - but there's nothing in the logs blocking the externally originated traffic. I still see activity allegedly for other ports in auth.log.
So I blocked everything ssh in hosts.deny (here you also see entries from fail2ban)
sshd: ALL
sshd: 1.234.5.238
sshd: 101.255.158.25
sshd: 103.138.10.78
sshd: 103.147.119.16
sshd: 103.4.119.20
sshd: 104.236.230.184
sshd: 109.132.238.5
sshd: 111.118.140.250
sshd: 111.68.125.106
...
and used the ipfilter script to geoblock in hosts.allow
sshd: ALL: spawn /usr/local/bin/ipfilter.sh %a
In the auth.log I can see the hosts being denied by the ipfilter
Dec 20 14:00:11 BobsJob root: DENY sshd connection from 114.44.149.56 (TW)
Dec 20 14:00:11 BobsJob sshd[16088]: Invalid user emmmetje from 114.44.149.56 port 34820
Dec 20 14:00:12 BobsJob sshd[16088]: Received disconnect from 114.44.149.56 port 34820:11: Bye Bye [preauth]
Dec 20 14:00:12 BobsJob sshd[16088]: Disconnected from invalid user emmmetje 114.44.149.56 port 34820 [preauth]
But why am I even seeing any log activity in auth.log about port 34820? How is it even getting as far as sshd denying access for invalid user?
It should be blocked by my router
Failing that it should be blocked by ufw
It is finally denied by the ipfilter script in hosts.allow, but it shouldnt even be getting that far.
Is it that the ports noted in auth.log arent real ie they are on the one external port I have open, which gets mapped to 22 internally? But then why does the log report a different port number?
What am I missing here?
