The Traditional SSH Bruteforce Attack

If you run an Internet-facing SSH service, you have seen something like this in your logs:

Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2

Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2

Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye

Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31

Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin

Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2

Sep 26 03:12:44 skapet sshd[29635]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2

Sep 26 03:12:45 skapet sshd[24703]: Connection closed by 200.72.41.31

Sep 26 03:13:10 skapet sshd[11459]: Failed password for root from 200.72.41.31 port 43344 ssh2

This is the classic, rapid-fire type of bruteforce attack.

Actually, most of them target root exclusively.