Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]

Hi All,

Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?

J
RidgejpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.

Do you allow users to connect to your system, this port is being used to update each user's status.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
RidgejpAuthor Commented:
This is a screenshot of the results of your terminal command...

tcp        0      0 ###.#.#.#:3306          0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     7975     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     17044    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     7977     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7976     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     7982     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12100    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12108    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12102    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12101    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12107    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12109    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12971    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16685    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     7970     /run/systemd/private
arnoldCommented:
If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...

Check you xinetd configuration......
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

RidgejpAuthor Commented:
Pleas expand on your comments...
arnoldCommented:
iptables -L
UFW  is the firewall used on ubuntu.
here using the UFW you can configure it to allow specific access, web access port 80/443, etc.
https://help.ubuntu.com/lts/serverguide/firewall.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_276102Commented:
201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?

I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
RidgejpAuthor Commented:
Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     8039     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22091    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     8044     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8056     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     8057     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     8058     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12728    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12727    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12729    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12730    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12731    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12732    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15981    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     13553    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16779    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     22307    /var/run/fail2ban/fail2ban.sock
RidgejpAuthor Commented:
I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
arnoldCommented:
the 11 might be an internal notifier from your own applications.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ubuntu

From novice to tech pro — start learning today.