1. Forum
  2. USENET
  3. alt.os.linux.mageia

  • ssh incoming port used?

    From William Unruh@unruh@invalid.ca to alt.os.linux.mageia on Wed Nov 19 23:12:58 2025
    From Newsgroup: alt.os.linux.mageia

    I have a number of ssh ports that could be used. Is there some way of
    recording which port was used by a remote machine trying to ssh into my
    system (my port, not the remote system's port)
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Markus Robert Kessler@no_reply@dipl-ing-kessler.de to alt.os.linux.mageia on Sun Dec 28 18:50:38 2025
    From Newsgroup: alt.os.linux.mageia

    On Wed, 19 Nov 2025 23:12:58 -0000 (UTC) William Unruh wrote:

    I have a number of ssh ports that could be used. Is there some way of recording which port was used by a remote machine trying to ssh into my system (my port, not the remote system's port)

    Not retrospectively. This info is nowhere to be found. But,
    you can try to monitor the connection by running Wireshark, or tcpdump.

    Tcpdump can be run in foreground or in a "screen" session as background process, writing log data to a file. Wireshark can open and display this
    info. In this trace you can find the destination port.

    Best regards,

    Markus
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From William Unruh@unruh@invalid.ca to alt.os.linux.mageia on Mon Dec 29 01:50:03 2025
    From Newsgroup: alt.os.linux.mageia

    On 2025-12-28, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:
    On Wed, 19 Nov 2025 23:12:58 -0000 (UTC) William Unruh wrote:

    I have a number of ssh ports that could be used. Is there some way of
    recording which port was used by a remote machine trying to ssh into my
    system (my port, not the remote system's port)

    Not retrospectively. This info is nowhere to be found. But,
    you can try to monitor the connection by running Wireshark, or tcpdump.

    Tcpdump can be run in foreground or in a "screen" session as background process, writing log data to a file. Wireshark can open and display this info. In this trace you can find the destination port.

    Best regards,

    Markus

    I found another way, if you are running shorewall, the forewall
    software for mageia.

    In /etc/shorewall/rules, (or rules.drakx)
    LOG:info net fw tcp,udp 22,5123,7787
    where those port numbers re the ports you hve opan for sshto the outside
    world

    Then in /var/log/syslog or /var/log/shorewall (I have never firgured or
    how to make that seccond one work) will be a list of connections to
    ports 22,5123,7787 say.
    Dec 28 17:27:34 dilaton kernel: [12180363.296626] Shorewall:net-fw:LOG:IN=eno1 OUT= MAC=58:11:22:b8:2f:dc:7c:0e:ce:03:15:80:08:00 SRC=116.110.17.103 DST=142.103.234.77 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26545 DF PROTO=TCP SPT=38258 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
    where DST=142.103.234.77 is your local machine's IP, DPT=22 is the one
    of the ports lited in rules which should be the ssh conection port for
    your mahine (listed in /etc/ssh/sshd_config ), the time is the date when
    that connection was made (and the same as the time listed dor the ssh
    refusal in dmesg or /var/log/syslog.)
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Markus Robert Kessler@no_reply@dipl-ing-kessler.de to alt.os.linux.mageia on Mon Dec 29 06:44:09 2025
    From Newsgroup: alt.os.linux.mageia

    On Mon, 29 Dec 2025 01:50:03 -0000 (UTC) William Unruh wrote:

    On 2025-12-28, Markus Robert Kessler <no_reply@dipl-ing-kessler.de>
    wrote:
    On Wed, 19 Nov 2025 23:12:58 -0000 (UTC) William Unruh wrote:

    I have a number of ssh ports that could be used. Is there some way of
    recording which port was used by a remote machine trying to ssh into
    my system (my port, not the remote system's port)

    Not retrospectively. This info is nowhere to be found. But,
    you can try to monitor the connection by running Wireshark, or tcpdump.

    Tcpdump can be run in foreground or in a "screen" session as background
    process, writing log data to a file. Wireshark can open and display
    this info. In this trace you can find the destination port.

    Best regards,

    Markus

    I found another way, if you are running shorewall, the forewall software
    for mageia.

    In /etc/shorewall/rules, (or rules.drakx)
    LOG:info net fw tcp,udp 22,5123,7787 where those
    port numbers re the ports you hve opan for sshto the outside world

    Then in /var/log/syslog or /var/log/shorewall (I have never firgured or
    how to make that seccond one work) will be a list of connections to
    ports 22,5123,7787 say.
    Dec 28 17:27:34 dilaton kernel: [12180363.296626] Shorewall:net-fw:LOG:IN=eno1 OUT= MAC=58:11:22:b8:2f:dc:7c:0e:ce:03:15:80:08:00 SRC=116.110.17.103 DST=142.103.234.77 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26545 DF
    PROTO=TCP SPT=38258 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 where DST=142.103.234.77 is your local machine's IP, DPT=22 is the one of the
    ports lited in rules which should be the ssh conection port for your
    mahine (listed in /etc/ssh/sshd_config ), the time is the date when that connection was made (and the same as the time listed dor the ssh refusal
    in dmesg or /var/log/syslog.)

    Congratulations! That's even better, since this way, you don't need one
    more tool to get the info needed.

    BR,

    Markus
    --- Synchronet 3.21a-Linux NewsLink 1.2