On 2025-12-28, Markus Robert Kessler <
no_reply@dipl-ing-kessler.de> wrote:
On Wed, 19 Nov 2025 23:12:58 -0000 (UTC) William Unruh wrote:
I have a number of ssh ports that could be used. Is there some way of
recording which port was used by a remote machine trying to ssh into my
system (my port, not the remote system's port)
Not retrospectively. This info is nowhere to be found. But,
you can try to monitor the connection by running Wireshark, or tcpdump.
Tcpdump can be run in foreground or in a "screen" session as background process, writing log data to a file. Wireshark can open and display this info. In this trace you can find the destination port.
Best regards,
Markus
I found another way, if you are running shorewall, the forewall
software for mageia.
In /etc/shorewall/rules, (or rules.drakx)
LOG:info net fw tcp,udp 22,5123,7787
where those port numbers re the ports you hve opan for sshto the outside
world
Then in /var/log/syslog or /var/log/shorewall (I have never firgured or
how to make that seccond one work) will be a list of connections to
ports 22,5123,7787 say.
Dec 28 17:27:34 dilaton kernel: [12180363.296626] Shorewall:net-fw:LOG:IN=eno1 OUT= MAC=58:11:22:b8:2f:dc:7c:0e:ce:03:15:80:08:00 SRC=116.110.17.103 DST=142.103.234.77 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26545 DF PROTO=TCP SPT=38258 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
where DST=142.103.234.77 is your local machine's IP, DPT=22 is the one
of the ports lited in rules which should be the ssh conection port for
your mahine (listed in /etc/ssh/sshd_config ), the time is the date when
that connection was made (and the same as the time listed dor the ssh
refusal in dmesg or /var/log/syslog.)
--- MBSE BBS v1.1.1 (Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)