New trends in SSH scans

When the SSH scans–they're too lame to be called attacks–started in June or so I was annoyed, and after a while I moved my sshd(8) to a high port and got peace and quiet in return. But I was curious to see how the scans looked now, and moved sshd(8) back to port 22 again about a month ago. I only allow publickey authentication, so the risk of doing it is null, they can't even get lucky.

Two days ago I started banning the hosts that tried to log in with an illegal user or sent the now well known “Bye Bye” message when disconnecting. It's too early to say whether it helps, but I fear it doesn't, it's probably not an IP-address recidivistic scanner. It's not that stupid.

This morning the “daily output” mail once again contained several hundred lines of login attempts, from two different hosts as usual, but with a twist; new usernames was attempted. Here's a complete list: account, adam, adm, admin, alan, apache, backup, cip51, cip52, cosmin, cyrus, data, frank, george, guest, henry, horde, iceuser, irc, jane, john, master, matt, mysql, noc, oracle, pamela, patrick, rolo, server, sybase, test, user, web, webmaster, www-data and wwwrun.

Maybe I'll write a small tool today to automatically publish these names and IPs, should be a fun and relaxing pastime.

If you need more background then this SSH attacks?” thread is not a bad place to start.