"Phase 1: “That's odd..." During the last few
weeks, I noticed an anomaly in the authentication logs on one of my
listening posts. There were a larger than usual number of ssh login
attempts overall, a higher than usual number of attempts for
non-existent user names as well as some failures for a few that
actually exist as well...
"Phase 2: Not your run of the mill screwup, the data say
Repeated login attempts for non-existing users are nothing new (in
fact the bruteforce avoidance section is one of the more popular
parts of the PF tutorial), but I was a bit surprised to see the
attempts actually reaching this machine, which is on a local
network behind a PF gateway with a configuration that is in fact
closely related to the one in the tutorial (and the book for that
matter). Then looking at the log entries, I noticed a few more
things: The attempts are never less than a minute apart, and the
attempts from a single host are separated by much long intervals.
The full data set I extracted from the point I started noticing
those anomalies sum up to these figures can be found here, in case
you want to look at it and draw you own conclusions."