New (for me): a distributed ssh attack. All different IPs trying to log
in as root. Which I
disable on systems, so it all won't work. From the logs:
Jul 10 02:02:06 idefix sshd[36927]: Failed unknown for illegal user root from 198.105.8.56 port 35529 ssh2
Jul 10 02:21:34 idefix sshd[37295]: Failed unknown for illegal user root from 216.65.214.88 port 52682 ssh2
Jul 10 02:41:58 idefix sshd[37692]: Failed unknown for illegal user root from 67.59.90.96 port 47163 ssh2
Jul 10 03:02:18 idefix sshd[39260]: Failed unknown for illegal user root from 139.29.176.237 port 57930 ssh2
Jul 10 03:22:56 idefix sshd[39933]: Failed unknown for illegal user root from 75.53.25.73 port 48376 ssh2
Seems like a nice distributed attack to circumvent tools that check for
repeated attempts from one IP or with a too high rate. But, I still get the
logcheck e-mail to point at and laugh,
distributed ssh root attempts log. Probably
all open proxies or part of some botnet.