Who's that knocking? SSH connection attempts...

I have a dedicated server overseas that I use for hosting various things. It's handy to have something that lives in a remote data centre, separate from all the local goings on. It is, however, as a LAMP stack server, out there on the internet, and folks do "knock on the door" frequently.

I've disabled passworded logins, changed the default SSH port (I know in and of itself, it's not a solution, but it does reduce a lot of the brain dead noise) and firewalled off all but the services which must be accessible externally for the server to function.

I still get hits to the OpenSSH server.


Of those that get through to specifying a remote username, I see:
   1640 root
    374 oracle
    182 admin
     28 guest
     10 postgres
     10 mysql
     10 info
      8 server
      8 rootalias
      8 nagios
      6 redhat
      6 minecraft
      6 debian
      4 r00t
      4 plex
      4 pgsql
      4 nexus
      4 news
      4 musicbot
      4 mc
      4 jenkins
      4 grid
      4 gmodserver
      4 git
      4 ftpuser
      4 ftp
      4 firefart
      4 default
      4 cyrus
      4 botmaster
      4 bot
      4 alias
      4 admissions
      4 adm
      2 shop
      2 shell
      2 share
      2 sgi
      2 servercsgo
      2 send
      2 securityagent
      2 secret
      2 sebastian
      2 search
      2 scanner
      2 sb
      2 sara
      2 sandbox
      2 samba
      2 sales
      2 rsync
      2 rpm
      2 rpcuser
      2 rpc
      2 root4
      2 root3
      2 root2
      2 root1
      2 root0
      2 rodrigo
      2 robert
      2 richard
      2 redmine
      2 recruit
      2 rdp
      2 radiomail
      2 quality
      2 qtss
      2 putty
      2 pussy
      2 public
      2 prueba
      2 proxy
      2 projects
      2 ppldtepe
      2 postpone
      2 postmaster
      2 postfix
      2 popa3d
      2 pop
      2 poney
      2 polycom
      2 plexuser
      2 PlcmSpIp
      2 play
      2 phpmyadmin
      2 php
      2 pentaho
      2 paul
      2 party
      2 ovhuser
      2 osmc
      2 operator
      2 operations
      2 operador
      2 openvpn
      2 opensuse
      2 openerp
      2 op
      2 office
      2 odoo
      2 nodeserver
      2 nodejs
      2 nodeclient
      2 node
      2 nobody
      2 nginx
      2 nfsnobody
      2 newsletter
      2 newadmin
      2 neil
      2 nat
      2 named
      2 nagiosuser
      2 musikbot
      2 mongodb
      2 module
      2 mine
      2 miller
      2 mike
      2 michael
      2 media
      2 mcserver
      2 master
      2 mario
      2 marco
      2 manager
      2 mailnull
      2 mailman
      2 mail
      2 lp
      2 log
      2 list
      2 linux
      2 library
      2 kodi
      2 karaf
      2 jsserver
      2 jsclient
      2 js
      2 john
      2 joel
      2 jesus
      2 jerry
      2 jeff
      2 jboss
      2 jay
      2 james
      2 jack
      2 jabber
      2 irc
      2 invitado
      2 intel
      2 install
      2 informix
      2 import
      2 identd
      2 ident
      2 hugo
      2 httpd
      2 http
      2 home
      2 hlds
      2 hduser
      2 hdfs
      2 harrypotter
      2 halt
      2 hadoop
      2 gpadmin
      2 gopher
      2 gnats
      2 glassfish
      2 gituser
      2 github
      2 git3
      2 git2
      2 git1
      2 ghost
      2 george
      2 games
      2 ftpusr
      2 ftptest
      2 ftpadmin
      2 frontrow
      2 frank
      2 fld
      2 faxadmin
      2 fax
      2 eppc
      2 emily
      2 eleve
      2 dstat
      2 dspace
      2 dream
      2 download
      2 D-Link
      2 divine
      2 devuser
      2 devil
      2 developer
      2 dev
      2 desktop
      2 deployer
      2 deploy
      2 demo1
      2 demo
      2 debug
      2 dean
      2 db2inst1
      2 david
      2 dataentry1
      2 database
      2 data
      2 dasusr1
      2 danny
      2 dan
      2 dale
      2 daemon
      2 cyrusimap
      2 csserver
      2 csgoserver
      2 csgo
      2 cpanel
      2 core
      2 control
      2 content
      2 console
      2 confluence
      2 clamav
      2 cisco
      2 christian
      2 chris
      2 charleene
      2 centos
      2 bwadmin
      2 butter
      2 build
      2 brett
      2 bob
      2 biz
      2 bitrix
      2 bin
      2 backuppc
      2 backup
      2 asterisk
      2 arkserver
      2 aptproxy
      2 appserver
      2 appowner
      2 api
      2 apagar
      2 apache
      2 angel
      2 amavisd
      2 amanda
      2 alex
      2 alan
      2 agent
      2 admins

... if you're running an SSH server on the internet, and you have a root account accessible using a password, change that now!

Where's all this sh** coming from? Well, if you trust Maxmind's free GeoIP Country database:

   1400 KR, Korea, Republic of

    265 US, United States

    201 FR, France

    130 CN, China

     84 RU, Russian Federation

     63 HK, Hong Kong

     56 UA, Ukraine

     52 IT, Italy

     51 NL, Netherlands

     50 ES, Spain

     48 TW, Taiwan

     46 SE, Sweden

     45 BG, Bulgaria

     35 GB, United Kingdom

     35 CA, Canada

     34 BR, Brazil

     29 PL, Poland

     27 DE, Germany

     23 JP, Japan

     22 RO, Romania

     22 BE, Belgium

     20 PE, Peru

     20 CH, Switzerland

     16 AU, Australia

      9 SI, Slovenia

      9 IE, Ireland

      9 CO, Colombia

      8 IN, India

      7 EE, Estonia

      7 BY, Belarus

      4 RS, Serbia

      3 PA, Panama

... initially surprised to see ROK (as opposed to DPRK) beat out other places, but I guess it makes sense in that they have very fast internet.

Is there a point to this? Well..

• Used key and/or multi-factor based authentication where you can
• No matter what port number you use, folks will knock on your door
• Expect any username that even vaguely resembles a default, or a service name, to be attempted
• Never use default passwords, or easily guessed password. If you must use a secret you have to remember, make it a passphrase not just a word