We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours.
It appears to be a straight dictionary attack, with the attempts cycling though usernames like root, user, test, john, henry, george, frank, alan, adam, server, backup, account, master, sybase, oracle, web, data, webmaster, noc, cip51, cip52, cosmin, pamela, jane, adm, irc, apache, operator, mysql, www-data, matt, www, wwwrun, cyrus, horde, iceuser, rolo, patrick, nobody.
It spends most of its time trying to login as root.
The requests are mostly coming from Russia, with a couple of other IP's from other countries.
The device they are attempting to log into is not advertised in anyway, so was probably picked up during a normal port scan.
For the moment I've limited connections to the box for SSH to only be accepted over IPSec, so that's the end of the login attempts.
I guess what I'm posting this for is to make sure everybody has a good password policy in place. Someone is actively trying to compromise accounts via SSH.
We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot... Regards, Simon