• Subscribe to the low volume list for updates.

SSH failed logins for past month

This graph shows the failed logins into one of our servers for the past month. As you can see they get hammered - just like most servers on the Internet.

I will look at doing some more with the stats to get more of a trend over time, perhaps full automating and building some graphical representations of the data over the months.

ssh failed logins for month - source and number of attempts

As you can see 122.3.9.40 is a busy little server, whois reveals the system is based in the Philippines and a google of the IP shows it be on a number of lists of attacking systems, including one called botnet.txt. So as is likely for most the high scores in this list, they will no doubt be compromised machines used to launch attacks scanning whole ranges of IP's for open or poorly passworded ssh servers.

So now might be a good time to reset all your accounts and make sure you have strong passwords. These ssh brute force attacks are not going away any time soon.

An excellent method of avoiding these attacks is to change your ssh listen port. Simple to do - just change the "Listen" directive in /etc/sshd/sshd_config.