asked on Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]
Hi All,
Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?
J
Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?
J
UbuntuLinux Security
Last Comment
arnold
ASKER
This is a screenshot of the results of your terminal command...
tcp 0 0 ###.#.#.#:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 7975 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 17044 /run/user/1000/systemd/pri
unix 2 [ ACC ] SEQPACKET LISTENING 7977 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 7976 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 7982 /run/systemd/journal/stdou
unix 2 [ ACC ] STREAM LISTENING 12100 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12108 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12102 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12101 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12107 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12109 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 12971 @ISCSIADM_ABSTRACT_NAMESPA
unix 2 [ ACC ] STREAM LISTENING 16685 /var/run/mysqld/mysqld.soc
unix 2 [ ACC ] STREAM LISTENING 7970 /run/systemd/private
tcp 0 0 ###.#.#.#:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 7975 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 17044 /run/user/1000/systemd/pri
unix 2 [ ACC ] SEQPACKET LISTENING 7977 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 7976 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 7982 /run/systemd/journal/stdou
unix 2 [ ACC ] STREAM LISTENING 12100 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12108 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12102 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12101 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12107 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12109 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 12971 @ISCSIADM_ABSTRACT_NAMESPA
unix 2 [ ACC ] STREAM LISTENING 16685 /var/run/mysqld/mysqld.soc
unix 2 [ ACC ] STREAM LISTENING 7970 /run/systemd/private
If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...
Check you xinetd configuration......
Check you xinetd configuration......
ASKER
Pleas expand on your comments...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?
I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?
I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
ASKER
Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8039 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 22091 /run/user/1000/systemd/pri
unix 2 [ ACC ] SEQPACKET LISTENING 8044 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 8056 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 8057 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 8058 /run/systemd/journal/stdou
unix 2 [ ACC ] STREAM LISTENING 12728 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12727 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12729 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12730 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12731 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12732 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 15981 /var/run/sendmail/mta/smco
unix 2 [ ACC ] STREAM LISTENING 13553 @ISCSIADM_ABSTRACT_NAMESPA
unix 2 [ ACC ] STREAM LISTENING 16779 /var/run/mysqld/mysqld.soc
unix 2 [ ACC ] STREAM LISTENING 22307 /var/run/fail2ban/fail2ban
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8039 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 22091 /run/user/1000/systemd/pri
unix 2 [ ACC ] SEQPACKET LISTENING 8044 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 8056 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 8057 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 8058 /run/systemd/journal/stdou
unix 2 [ ACC ] STREAM LISTENING 12728 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12727 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12729 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12730 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12731 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12732 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 15981 /var/run/sendmail/mta/smco
unix 2 [ ACC ] STREAM LISTENING 13553 @ISCSIADM_ABSTRACT_NAMESPA
unix 2 [ ACC ] STREAM LISTENING 16779 /var/run/mysqld/mysqld.soc
unix 2 [ ACC ] STREAM LISTENING 22307 /var/run/fail2ban/fail2ban
ASKER
I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
the 11 might be an internal notifier from your own applications.
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.
Do you allow users to connect to your system, this port is being used to update each user's status.
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml