There are bad scripties all over the place doing this. One single night can have none, while another night might have 2 to 4000 attempts from a single IP with oodles of different usernames attempted, both legal and illegal usernames. Best practice of disallowing root login has already been mentioned. Make sure you do any security updates put out by your distro to keep things like ssh and openssl type programs as updated as possible.
Most of the time when I whois these IPs, they are coming from Korea and other Asian based countries. I don't even bother... but if I whois an IP and see it is US owned, I file complaints with both the ISP owner and the user company if there is one (b/c it may not come from a residential IP) to their abuse and security departments. On rare, occasions, I've actually had my messages personally replied to (outside of the auto-reply from ISP abuse accounts) which stated they had become aware of the attack and had shutdown that computer/port, etc. laters, David McD On 9/2/05, Lisa Boyd <[EMAIL PROTECTED]> wrote: > I've been checking my Logwatch files and have noticed some failed > logins for root listed under sshd. I assume someone is trying to break > into my server, but is this something to seriously worry about? > Considering my root password is not a dictionary word ;) > > Thanks! > Lisa B. > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
