This is probably an easy one for the security experts out there, but I would like to know why the /var/log/auth.log appears to be "negotiating" connections for ports that I assume to be closed. Is this normal, or should I look at changing some security settings?
For what it's worth, I do have Fail2Ban setup for monitoring open ports, but I would assume the OS would ignore any attempts to connect to a closed port.
The log snippet below shows a few of the unauthorized failed login attempts. I have also included a list of open ports from the ss -tul command.
/var/log/auth.log Snippet
sshd[76546]: Unable to negotiate with 27.35.34.124 port 43241: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[77249]: Invalid user support from 168.194.80.108 port 16319
sshd[77249]: Connection closed by invalid user support 168.194.80.108 port 16319 [preauth]
sshd[78624]: Connection closed by authenticating user nobody 180.193.186.26 port 65118 [preauth]
sshd[78626]: Unable to negotiate with 188.247.48.198 port 58403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[79677]: Corrupted MAC on input. [preauth]
sshd[79677]: ssh_dispatch_run_fatal: Connection from 103.75.20.178 port 40688: message authentication code incorrect [preauth]
sshd[79679]: Invalid user Nobody from 85.237.57.200 port 35236
sshd[79679]: Connection closed by invalid user Nobody 85.237.57.200 port 35236 [preauth]
sshd[80022]: Unable to negotiate with 220.120.48.109 port 60939: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[80396]: Unable to negotiate with 203.251.85.160 port 42626: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81062]: Unable to negotiate with 218.148.11.5 port 61316: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81064]: Unable to negotiate with 49.48.35.209 port 51022: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81071]: Invalid user Nobody from 112.141.38.88 port 58901
sshd[81071]: Connection closed by invalid user Nobody 112.141.38.88 port 58901 [preauth]
sshd[81093]: Connection closed by 195.226.194.242 port 51412 [preauth]
sshd[81092]: Connection closed by 195.226.194.142 port 51398 [preauth]
sshd[81446]: Unable to negotiate with 113.22.92.27 port 33534: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81449]: Unable to negotiate with 47.21.51.190 port 53329: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[82127]: error: kex_exchange_identification: Connection closed by remote host
sshd[82127]: Connection closed by 181.64.10.35 port 54550
sshd[82128]: Invalid user vpsadmin from 181.64.10.35 port 54566
sshd[82128]: Connection closed by invalid user vpsadmin 181.64.10.35 port 54566 [preauth]
sshd[82130]: fatal: Timeout before authentication for 181.64.10.35 port 54648
sshd[82138]: Unable to negotiate with 110.142.35.177 port 60903: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[82176]: Invalid user Ubnt from 98.143.104.196 port 51521
sshd[82176]: Connection closed by invalid user Ubnt 98.143.104.196 port 51521 [preauth]
Open Ports List (ss -tul)
Netid State Local Address:Port Peer Address:Port
udp UNCONN 0.0.0.0:47089 0.0.0.0:*
udp UNCONN 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN [omitted]:bootpc 0.0.0.0:*
udp UNCONN 127.0.0.1:323 0.0.0.0:*
udp UNCONN [::1]:323 [::]:*
tcp LISTEN 0.0.0.0:20202 0.0.0.0:*
tcp LISTEN 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 127.0.0.1:smtp 0.0.0.0:*
tcp LISTEN *:8009 *:*
tcp LISTEN *:20201 *:*
tcp LISTEN *:http *:*
tcp LISTEN *:http-alt *:*
tcp LISTEN [::]:ssh [::]:*
tcp LISTEN [::1]:smtp [::]:*
tcp LISTEN *:https *:*
tcp LISTEN [::ffff:127.0.0.1]:8005 *:*
Together, the IPv4 address & port identify a connection by its source. They're still connecting into your port 22 (or whatever sshd is configured to use).
For example, 27.35.34.124 port 43241 identifies a specific connection coming from 27.35.34.124. If there were two or more ssh clients running on that machine, trying to connect to yours, they'd all have the same source IP, but all have different source ports.
Those ports are usually allocated automatically in the ephemeral port range for outgoing connections, and you rarely see them except when you need to unambiguously identify TCP connections.
I'm going to shamelessly link my own answer on SE in case you want more fine detail.