Link to home
Start Free TrialLog in
Avatar of Ridgejp
RidgejpFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]

Hi All,

Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?

J
Avatar of arnold
arnold
Flag of United States of America image

lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.

Do you allow users to connect to your system, this port is being used to update each user's status.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Avatar of Ridgejp

ASKER

This is a screenshot of the results of your terminal command...

tcp        0      0 ###.#.#.#:3306          0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     7975     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     17044    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     7977     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7976     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     7982     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12100    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12108    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12102    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12101    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12107    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12109    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12971    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16685    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     7970     /run/systemd/private
If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...

Check you xinetd configuration......
Avatar of Ridgejp

ASKER

Pleas expand on your comments...
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Member_2_276102
Member_2_276102

201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?

I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.
Avatar of Ridgejp

ASKER

Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    
tcp6       0      0 :::80                   :::*                    LISTEN    
tcp6       0      0 :::22                   :::*                    LISTEN    
tcp6       0      0 :::443                  :::*                    LISTEN    
unix  2      [ ACC ]     STREAM     LISTENING     8039     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22091    /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     8044     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8056     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     8057     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     8058     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12728    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12727    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12729    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12730    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12731    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12732    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15981    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     13553    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     16779    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     22307    /var/run/fail2ban/fail2ban.sock
Avatar of Ridgejp

ASKER

I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?
the 11 might be an internal notifier from your own applications.