First I filter on all TCP/22 activity
I'm actually most concerned with the valid logins first so I check them
Whew. Only 2 logins, those are probably OK.I could check and see who they are but I'm too lazy and I'm anxious to get to the invalid logins:
But I want to get a better sense of time. Big spike right has I was recovering from getting the kids ready for school.
I back up to look at the two types of events I'm seeing during this period of attack: failed passwords and invalid users. I actually discovered the other day that there is an SSH error message for failed login attempts where the username is valid but when it doesn't match the address in the AllowUser option of sshd_config. I thought that was cool. Not sure why I'm not seeing these here.
Yep, Italy again
inetnum: 126.96.36.199 - 188.8.131.52
descr: Universita' degli Studi di Perugia
descr: Centro Ateneo Servizi Informatici, CASI
status: ASSIGNED PI
remarks: Perugia Academic and Research Network
source: RIPE # Filtered