Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]
Hi All,
Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?
J
UbuntuLinux Security
Last Comment
arnold
8/22/2022 - Mon
arnold
lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.
Do you allow users to connect to your system, this port is being used to update each user's status.
201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?
I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
Ridgejp
ASKER
Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -
I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
arnold
the 11 might be an internal notifier from your own applications.
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.
Do you allow users to connect to your system, this port is being used to update each user's status.
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml