Avatar of Ridgejp
Ridgejp
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]

Hi All,

Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?

J
UbuntuLinux Security

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
arnold

lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.

Do you allow users to connect to your system, this port is being used to update each user's status.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Ridgejp

ASKER
This is a screenshot of the results of your terminal command...

tcp        0      0 ###.#.#.#:3306          0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     7975     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     17044    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     7977     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7976     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     7982     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12100    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12108    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12102    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12101    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12107    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12109    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12971    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16685    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     7970     /run/systemd/private
arnold

If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...

Check you xinetd configuration......
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ridgejp

ASKER
Pleas expand on your comments...
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Member_2_276102

201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?

I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
Ridgejp

ASKER
Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     8039     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22091    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     8044     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8056     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     8057     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     8058     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12728    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12727    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12729    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12730    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12731    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12732    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15981    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     13553    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16779    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     22307    /var/run/fail2ban/fail2ban.sock
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Ridgejp

ASKER
I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
arnold

the 11 might be an internal notifier from your own applications.