"Phase 1: “That's odd..."
During the last few weeks, I noticed an anomaly in the authentication
logs on one of my listening posts. There were a larger than usual
number of ssh login attempts overall, a higher than usual number of
attempts for non-existent user names as well as some failures for a
few that actually exist as well...
"Phase 2: Not your run of the mill screwup, the data say
Repeated login attempts for non-existing users are nothing new (in fact the bruteforce avoidance section is one of the more popular parts of the PF tutorial), but I was a bit surprised to see the attempts actually reaching this machine, which is on a local network behind a PF gateway with a configuration that is in fact closely related to the one in the tutorial (and the book for that matter). Then looking at the log entries, I noticed a few more things: The attempts are never less than a minute apart, and the attempts from a single host are separated by much long intervals. The full data set I extracted from the point I started noticing those anomalies sum up to these figures can be found here, in case you want to look at it and draw you own conclusions."
