Yeah, those are scripts which are used by hackers to try and brute force attack a ssh user login, it cycles through uses and a list of passwords hoping to get a match.

There are a number of things you can do about this.

1) Secure, but not the best:

make sure all none login user accounts on ur system have a shell of /dev/null or /sbin/nologin or /bin/false

look in your /etc/passwd file, and make sure of the above, this should stop any actual logins from occuring.

Also make sure you use nice secure passwords on your login users like root and so on.

This won't stop these attempts, but it should put your mind at ease.

2) The More Secure way - Long way

You can use iptables to block all the ip's of the people trying to brute force attack your server, there are some scripts out there which help automate this process, but i think it's a complete waste of time.

3) The more secure way - Short cut (my personal favourite)

3.1) If you access our server from fixed ip's the whole time then use iptables to only allow connections to port 22 of your server from these fixed iptables, like this:


This would ensure that you can only connect to your ssh port on ur server if you coming from the ip's specified.

3.2) If you have a dynamic ip with something like ADSL, and you know the network ranges your ISP uses (or you could phone and ask them) you could do something like:


This would only allow connections to the ssh port if you are coming from those network ranges.


3.3) If your ISP doesn't use set ranges, then you can use the GEOIP option.
Follow this to get GEOIP support into your kernel and iptables:


then you could include something like this in your iptables scripts:


This would only allow connections to the ssh port of the server if you were coming from a UK connection (should stop those attempts from the Asia countries)


Personally i use 3.1 with my servers, works like a charm, and i never have those ssh attempt problems