It never takes long for the script kiddies to start once you open up ssh to the interweb. Look in your /var/log/auth.log and I'll bet you find a load of brute force attempts on ssh:
Failed password for invalid user bind from 188.8.131.52 port 50739 ssh2 Failed password for invalid user test from 184.108.40.206 port 50950 ssh2 Failed password for invalid user user from 220.127.116.11 port 51105 ssh2 Failed password for invalid user administrator from 18.104.22.168 port 51254 ssh2
This is a "1337 h4X0r" (read:kiddie) running a dictionary against your ssh server. If you have chosen strong passwords, then you are a bit safer, but there are better ways.
Use certificates instead of passwords
Have a look at the passwordless ssh howto here .If you dont want to switch off passwords, there is another way to block brute force attempts:
This is a script designed to run on your ssh server to block brute force attempts, I really like this approach because you can get it to block ALL traffic from the offending ip - so if someone tries ssh and fails, they can't try anything else from the same ip for a set number of days. This makes it inconvenient, and much easier to try somewhere else. It also logs all the names attempted, so you could use those in your own dictionary should you be so inclined...
Download from http://denyhosts.sourceforge.net/index.html
tar zxvf DenyHosts-2.5.tar.gz # change for whatever version you're using cd Denyhosts-2.5 sudo python setup.py install cd /usr/share/denyhosts sudo cp denyhosts.cfg-dist denyhosts.cfg sudo vi denyhosts.cfg # If you are using Ubuntu, your SECURE LOG should be as below, comment out all the others SECURE_LOG = /var/log/auth.log HOSTS_DENY = /etc/hosts.blocked # We use this instead of hosts.deny so we can use TCPWRAPPERS later BLOCK_SERVICE = ALL # Not essential, but i prefer just locking the buggers out completely. Be careful of this on web servers etc, you dont want to block an entire internet cafe from browsing your site because of a visiting script kiddie. PURGE_DENY = 7d # Removes ips from the list after 7 days, adjust to taste - default is never LOCK_FILE = /var/run/denyhosts.pid #Comment out the other LOCK_FILEs SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 #This is a great idea, it lets users around the world share info, so misbehaving ips dont even need to try you to get blocked. Disabled by default. #Edit the other settings to taste, the defaults should be fine for most setups, but you might want to lower allowed attempts etc. sudo touch /etc/hosts.blocked sudo vi /etc/hosts.deny ALL:/etc/hosts.blocked sshd:ALL:spawn python2.4 /usr/bin/denyhosts.py --purge -c /etc/denyhosts.cfg: allow
Job done. Now denyhosts will run each time an ssh login attempt is made, and block anyone who has made multiple login attempts.