Looking at the security logs I saw a new kind of distributed ssh attack. Not the usual dictionary of common login names but a start atSep 30 19:13:06 idefix sshd[99210]: Illegal user aaa from 67.152.2.17 Sep 30 19:13:06 idefix sshd[99210]: Failed unknown for illegal user aaa from 67. 152.2.17 port 36709 ssh2Slowly but surely working towardsOct 1 11:30:20 idefix sshd[32699]: Illegal user asn from 196.211.228.226 Oct 1 11:30:21 idefix sshd[32699]: Failed unknown for illegal user asn from 196.211.228.226 port 58586 ssh2With a bit of grep and awk later I found 174 attempts like this (3 letter account names) from 102 IPs. Now all added to the firewalling rules.The complete list of source IPs attacking ssh
Update 2008-10-01: still going strong: 211 attempts from 126 IP addresses. Firewall rules updated. List updated.