For 36 hours now, one of my clients' servers has been logging ssh login attempts from around the world, low volume, persistent, but more frequent than usual. sshd is listening on a non-standard port, just to minimize the garbage in the logs.
A couple of attempts is normal; we've seen that for years. But this is several each hour, and each hour an IP from a different country: Belgium, Korea, Switzerland, Bangladesh, France, China, Germany, Dallas, Greece. Usernames vary: root, mythtv, rheal, etc. There's several levels of defense in use: firewalls, intrusion detection, log monitoring, etc, so each script gets a few guesses and the IP is then rejected. In theory, the defenses should be sufficient, but I have a concern that I'm missing their strategy here. It's not a DDOS, they are very low volume. It will take them several millennia to guess enough dictionary attack guesses to get through, so what's the point? -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/