SSH Exploit Annoyances

I know that this isn’t a threat, but messages like these have been showing up in my nightly logwatch email for a few months now:


Failed logins from these:
admin/password from 218.8.127.193: 9 Time(s)
backup/password from 218.24.205.20: 3 Time(s)
computer/password from 218.24.205.20: 3 Time(s)
guest/password from 218.8.127.193: 7 Time(s)
info/password from 218.24.205.20: 4 Time(s)
master/password from 218.24.205.20: 4 Time(s)
oracle/password from 218.24.205.20: 5 Time(s)
root/password from 218.24.205.20: 2 Time(s)
root/password from 218.8.127.193: 1 Time(s)
slapme/password from 218.24.205.20: 10 Time(s)
test/password from 218.8.127.193: 9 Time(s)
user/password from 218.8.127.193: 2 Time(s)
webmaster/password from 218.24.205.20: 4 Time(s)
www/password from 218.24.205.20: 5 Time(s)


I know it’s not dangerous, nothing more than people checking the door handle of a locked room, but still annoying. Especially sine the number of failures isn’t always 4 or 10, but sometimes in the hundreds.


According to this thread on bugtraq it’s another exploit in the wild, probably being run off of infected zombie boxes, but it’s still annoying. It’s even more annoying and disturbing when I see not only the standard root/admin/test/user attempts, but lists of common first names including ‘alan’, and other user accounts that are actually on the system. Last thing I want is a user with a weak password to get my box owned. Sadly, other than blocking the IPs with firewall rules, which is kinda pointless as the IPs change every day, I don’t think there’s a way to do anything about it.