Looking at the security logs I saw a new kind of distributed ssh attack. Not
the usual dictionary of common login names but a start at
Sep 30 19:13:06 idefix sshd: Illegal user aaa from 18.104.22.168
Sep 30 19:13:06 idefix sshd: Failed unknown for illegal user aaa from 67. 152.2.17 port 36709 ssh2
Slowly but surely working towards
Oct 1 11:30:20 idefix sshd: Illegal user asn from 22.214.171.124
Oct 1 11:30:21 idefix sshd: Failed unknown for illegal user asn from 126.96.36.199 port 58586 ssh2
With a bit of grep and awk later I found 174 attempts like this (3 letter
account names) from 102 IPs. Now all added to the firewalling rules.
The complete list of source IPs attacking ssh
: still going strong: 211 attempts from
126 IP addresses. Firewall rules updated. List updated.