Over the last 5 days my publicly accessible system at 220.127.116.11 has had 5,092 attempted SSH logins from 8 IP Addresses.
Unsurprisingly, the most commonly attempted ssh username is “root”, the default administrative account on Linux systems.
What I did find surprising, was that most of the IPs gave up after a relatively low number of attempts.
Even more so was that for each username tried which wasn’t root, the number of passwords attempted was rarely more than a dozen.
Here are the IPs observed attempting the unauthorized logins:
All data was collected via syslog-ng from an Arch Linux server hosted by Rackspace sent to Splunk Storm