[arm-allstar] Brute force root attack on node from China?

[Glenn Morgon]

I was digging through my Linux log and saw a lot of these in the log:
====

Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.186.17.9  user=root
Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root from
118.186.17.9 port 33831 ssh2
Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by
118.186.17.9 port 33831 [preauth]
Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group
rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.186.17.9  user=root
Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root from
118.186.17.9 port 45437 ssh2
Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by
118.186.17.9 port 45437 [preauth]

====

There are literally scores of these line entries in my log in the last
couple hours since I had reboot it.  All coming from 118.186.17.9, which
shows as being from China.

Curious that the log reports the port as not being the actual ssh port I
have configured, although, when I ssh into my node it too shows a port that
is not the same port I am using.

I ended up blocking further attempts by running the command:
====
 iptables -A INPUT -s 118.186.17.0/24 -j DROP
====
Although I think I'll change it to 118.186.0.0/16 as it appears all 256
nets are associated to China.  While I realize this doesn't address them
using a proxy, perhaps it will encourage them to seek out an easier target.

I've got a couple of nodes on my network with forwarded custom ssh ports
but this is the only one they seem to have noticed at this point.

So this is my PSA for using strong passwords and checking your logs now and
again.

Glenn