# Why is my auth.log showing totally weird port numbers for succesfull ssh connections?



## dnv (Apr 14, 2018)

This is a FreeBSD 11.1 system with sshd running on the default port 22. It is running from behind a router that accepts connections to port 10000 and then directs them to the FreeBSD system’s IP and port 22 and uses only keys for auth (passwords logins are disabled). Why is my auth.log showing totally weird ports for successfull ssh connections? Regardless of whether I connect from within the local network or from the outside world through the router and it’s port forwarding. I am seeing logs show these connection as happening on ports like 53815, 61990, 52997 and the like. What’s going on?


----------



## Eric A. Borisch (Apr 14, 2018)

Those are the ephemeral ports on the client end of the TCP connection that you’re seeing. They should all be logged as ~ “disconnect from xxx.xxx.xxx.xxx port nnnnn” where the IP address (and port) are from the client side.


----------



## SirDice (Apr 16, 2018)

The source port is always a random port. This is inherent for almost all TCP connections.


----------

