Dec 2 14:19:52 myHostname sshd: Did not receive identification string from someip
Dec 2 14:20:31 myHostname sshd: Invalid user fluffy from someip
Dec 2 14:20:33 myHostname sshd: Invalid user admin from someip
Dec 2 14:20:35 myHostname sshd: Invalid user test from someip
Dec 2 14:20:38 myHostname sshd: Invalid user guest from someip
Dec 2 14:20:41 myHostname sshd: Invalid user webmaster from someip
Dec 2 14:20:46 myHostname sshd: Invalid user oracle from someip
Dec 2 14:20:48 myHostname sshd: Invalid user library from someip
Dec 2 14:20:52 myHostname sshd: Invalid user info from someip
Dec 2 14:20:54 myHostname sshd: Invalid user shell from someip
Dec 2 14:20:57 myHostname sshd: Invalid user linux from someip
Dec 2 14:20:59 myHostname sshd: Invalid user unix from someip
Dec 2 14:21:02 myHostname sshd: Invalid user webadmin from someip
... more like this ...
So that’s what a brute force attack on an SSH server looks like! 😉
Fortunately, I took time to read and secure the SSH as best I know how and no damage appears to be done. (If the output of less can be trusted) There were only two real attacks.
All in all I learned from the whole thing. I should probably start getting into the habit of reading my logs, and I learned a couple of user names not to use. (my favorites being fluffy, gopher, and Zmeu) I think I also want to look for an ipchains rule to limit access to only IP addresses in my state.