Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]

Ridgejp
Ridgejp used Ask the Experts™
on
Hi All,

Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?

J
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.

Do you allow users to connect to your system, this port is being used to update each user's status.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Author

Commented:
This is a screenshot of the results of your terminal command...

tcp        0      0 ###.#.#.#:3306          0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     7975     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     17044    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     7977     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7976     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     7982     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12100    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12108    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12102    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12101    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12107    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12109    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12971    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16685    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     7970     /run/systemd/private
Distinguished Expert 2017

Commented:
If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...

Check you xinetd configuration......
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Author

Commented:
Pleas expand on your comments...
Distinguished Expert 2017
Commented:
iptables -L
UFW  is the firewall used on ubuntu.
here using the UFW you can configure it to allow specific access, web access port 80/443, etc.
https://help.ubuntu.com/lts/serverguide/firewall.html
201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?

I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.

Author

Commented:
Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     8039     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22091    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     8044     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8056     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     8057     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     8058     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12728    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12727    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12729    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12730    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12731    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12732    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15981    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     13553    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16779    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     22307    /var/run/fail2ban/fail2ban.sock

Author

Commented:
I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
Distinguished Expert 2017

Commented:
the 11 might be an internal notifier from your own applications.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial