Received disconnect from 201.###.###.34 port 58985:11: Normal Shutdown, Thank you for playing [preauth]

Hi All,

Getting the above following message in my auth.log on my server from the above ip and many others ... what does this mean?

J

RidgejpManaging DirectorAsked: 2017-03-31

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

Experts Exchange Solution brought to you by

Enjoy your complimentary solution view.

Get every solution instantly with Premium. Start your 7-day free trial.

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 83

arnoldCommented: 2017-03-31

lsof -i:11
Check what ports you have open
netstat -an | grep -i listen
Is your system directly exposed to the net, make sure to limit what ports are accessible.

Do you allow users to connect to your system, this port is being used to update each user's status.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

RidgejpManaging DirectorAuthor Commented: 2017-03-31

This is a screenshot of the results of your terminal command...

tcp 0 0 ###.#.#.#:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 7975 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 17044 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 7977 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 7976 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 7982 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12100 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12108 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12102 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12101 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12107 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12109 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 12971 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 16685 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 7970 /run/systemd/private

LVL 83

arnoldCommented: 2017-04-01

If your system is directly connected to the Internet, make sure you have sfw setup to limit/restrict... To shield your system...

Check you xinetd configuration......

RidgejpManaging DirectorAuthor Commented: 2017-04-01

Pleas expand on your comments...

LVL 83

arnoldCommented: 2017-04-01

iptables -L
UFW is the firewall used on ubuntu.
here using the UFW you can configure it to allow specific access, web access port 80/443, etc.
https://help.ubuntu.com/lts/serverguide/firewall.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

LVL 27

tliottaCommented: 2017-04-03

201.###.###.34
Is that what you see in auth.log, or did you mask part of the address with "#" characters? If you masked the address, is it your IP address?

I ask because it's odd to mask some unknown address if you don't know what it is. And if it's your address, it might significantly change the context of the question.

RidgejpManaging DirectorAuthor Commented: 2017-04-03

Apologies I'd reacted by masking it not realising it had nothing to do with me ... just re-run the command and the following is the latest: -

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8039 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 22091 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 8044 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 8056 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 8057 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 8058 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12728 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 12727 /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 12729 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 12730 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 12731 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12732 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 15981 /var/run/sendmail/mta/smcontrol
unix 2 [ ACC ] STREAM LISTENING 13553 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 16779 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 22307 /var/run/fail2ban/fail2ban.sock

RidgejpManaging DirectorAuthor Commented: 2017-04-03

I've subsequently installed Fail2Ban having done a little further research on subject and set up sendmail to report the ip addresses that result in a banned status. Is there anything more that I should be doing?