I noticed the same thing on my host several weeks ago.
I strongly suggest removing root access to your ssh, root is probably being tried by more than 50% of all login attempts... the other trials are semi-intelligent random usernames (ie, users that might really well exists, like 'apache' etc... but other usernames which may not like 'albert'). If your username is not part of the list of attempts, then it won't be tried much, and I once found out that if your password is alphanumeric with lower and upper cases, the hacker as a worst chance of finding your password in (26*2+10)^8(chars long) = 62^8 = 2.18e14 steps or 218 millions of millions of steps. This is assuming they try the correct username each time!
The other thing you should do is place ssh on another port, very high. IIRC, port numbers are 16bits and can go as high as 65k... you could use 22xxx where xxx is a random favorite number for example.
Since it is very unlikely that the attacker is targeting you specifically, changing the port number (and removing root access) will very likely stop the attack forever. Though, if the attacker did target you, then you will need some more security tools (intrusion detection, etc...).
Good luck! Simon Steve wrote:
I've recently discovered a curious pattern emerging in my system log with failed login attempts via ssh. Previously, I noticed dictionary attacks launched - which were easy to detect... and I've a process to block the IP address of any host that repeatedly fails to authenticate. What I see now is quite different... I'm seeing a dictionary attack originating from a wide range of IP addresses - testing user-names in sequence... it has been in progress since 22nd November 2008 and has tried 7195 user names in alphabetical order from 521 distinct hosts - with no successive two attempts from the same host. I'm not particularly concerned - since I'm confident that all my users have strong passwords... but it strikes me that this data identifies a bot-net that is clearly malicious attempting to break passwords. Sure, I could use IPtables to block all these bad ports... or... I could disable password authentication entirely... but I keep thinking that there has to be something better I can do... any suggestions? Is there a simple way to integrate a block-list of known-compromised hosts into IPtables - rather like my postfix is configured to drop connections from known spam sources from the sbl-xbl.spamhaus.org DNS block list, for example. Break in attempts today (attempted username/IP address): -- huck 190.60.41.82 huckleberry 81.196.122.2 huckleberry 58.39.145.213 huckleberry 60.230.184.143 hue 58.196.4.2 hue 83.228.92.228 huela 193.41.235.225 huela 193.41.235.225 huey 201.21.216.198 huey 81.149.101.27 hugh 200.123.174.145 hugh 83.228.92.228 hugh 212.46.24.146 hugo 195.234.169.138 hugo 193.86.111.6 hugo 201.224.199.201 hume 69.217.30.214 hume 80.118.132.88 hummer 71.166.159.177 hummer 200.126.119.91 hummer 61.4.210.33 humphrey 80.34.55.88 humphrey 213.163.19.158 humvee 85.222.53.48 humvee 80.24.4.23 hung 61.47.31.130 hung 70.46.140.187 hunter 67.40.86.204 hunter 83.228.92.228 hunter 200.60.156.90 huong 207.250.220.196 huong 125.63.77.3 huong 200.62.142.212 huslu 219.93.187.38 huslu 121.223.228.249 huslu 200.29.135.50 hussein 200.60.156.90 hussein 200.6.220.46 hussein 125.63.77.3 huy 60.191.111.234 huy 200.79.25.39 huyen 213.136.105.130 huyen 190.144.61.58 huyen 121.33.199.37 hy 121.33.199.37 hy 90.190.96.46 hyacinth 81.196.122.2 hyacinth 189.43.21.244 hyacinth 99.242.205.242 hyman 201.21.216.198 hypatia 218.28.143.246 hypatia 195.234.169.138 iain 200.118.119.48 iain 124.42.124.87 iain 194.224.118.61 ian 189.56.92.42 ian 201.28.119.60 ian 210.187.18.199 ianna 211.154.254.120 ianna 84.242.66.10 ianna 193.41.235.225 ianthe 81.246.26.179 ibtesam 87.30.163.87 ichabod 201.251.61.108 ida 62.61.141.93 ida 80.24.4.23 idalee 85.222.53.48 idalee 190.144.61.58 --