A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated. Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc.
One variation did show. One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available.
A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net. Quite a few IP addresses showed up in different logs submitted.
The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.
So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.
As for the attacking IPs. You can find the unique IPaddresses performing SSHattacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt
A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.
Thanks again and if Imanage to dig out anything further I'll keep you up to date.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.