I want to check what I am doing with port forwarding as something does not make sense to me. That suggests I misunderstand something.

I am running an apache webserver on a linux box on my LAN. I wanted to ssh in from work during my lunchhour in order to get some things configured correctly, so set a port forward for 22 to the private IP of the linux box. That works as required.

I then find regular attacks reported as failed logins. They are reported by sshd to auth.log like so: " Failed password for root from 222.184.230.118 port 35522 ssh2". There are multiple attempts from the same IP, and this started happening from a lot of different IPs.

I err on the side of caution and have disabled the port forward for now. Anyway these attacks on root do not worry me too much as I have disabled root login in the sshd config. My Draytek configuration is quite simple, not much changed from default: no open ports, dmz, filters. I have added multi-nat port forward of http (only) on different external IPs to corresponding local apache servers.

Before doing anything to reinstate ssh I need to understand one thing. I have only enabled the port forward for 22, yet the attacks are coming in on high-numbered ports. In the example above 35522, but that is just one in a seemingly random sequence, 33512, 34584 etc. How are these ports being forwarded to the same local IP? Other linux servers that are running on the network are not getting any traffic from the outside world.

I'm interested to hear if someone can explain this, maybe point out if I am doing something wrong or need do something else.

Thanks.

Hello Simon.

The high numbered ports you are seeing are the source port of the connections and are completely normal. When a host makes a TCP connection to another host, the operating system will usually select a random port between 1024 and 65535 to use as the source port.

sshd listens on port 22, so that is the destination port of the connections. The port forwarding rule on your router is acting upon the destination port in the packets.

One unfortunate consequence of running services on their well-known ports on the internet is that you'll get loads of connection attempts from script-kiddies and other opportunistic idiots looking for hosts to exploit. As long as you're running a secure version of sshd and have a strong username and password, then this shouldn't be anything more than an annoyance that might fill up your logs a bit.

However, it's trivially easy to avoid this annoyance by making your sshd service listen on a non-standard port. Unless the script-kiddies want to spend time scanning all 65535 TCP ports on your system, then they won't know which port sshd is listening on. I set mine to listen on a five-digit port number and then specify this in my ssh client program.