During the past 30 days the honeypot I maintain has been attacked 423 times. Interestingly the United States was the top offender with China (no surprise) coming in close second. All the attacking IP addresses can be found here.

Count – Country

94 – UNITED
82 – CHINA
23 – KOREA
19 – BRAZIL
13 – TAIWAN
11 – POLAND
10 – UNITED
10 – RUSSIAN
10 – ITALY
8 – GERMANY
8 – COLOMBIA
8 – ARGENTINA
7 – MEXICO
7 – INDIA
7 – CZECH
7 – CANADA
5 – SPAIN
5 – HUNGARY
5 – HONG
5 – FRANCE
4 – UKRAINE
4 – TURKEY
4 – ROMANIA
4 – PANAMA
4 – JAPAN
4 – CHILE
4 – AUSTRALIA
3 – BULGARIA
2 – VENEZUELA
2 – SOUTH
2 – SAUDI
2 – PHILIPPINES
2 – PERU
2 – PAKISTAN
2 – NETHERLANDS
2 – MOLDOVA
2 – MALAYSIA
2 – IRAN
2 – HONDURAS
2 – FINLAND
2 – EGYPT
2 – BELGIUM
2 – AUSTRIA
1 – VIET
1 – UNITED
1 – SYRIAN
1 – SRI
1 – SLOVAKIA
1 – SINGAPORE
1 – NICARAGUA
1 – LITHUANIA
1 – KAZAKHSTAN
1 – ISRAEL
1 – IRAQ
1 – GUATEMALA
1 – GREECE
1 – GHANA
1 – COSTA
1 – AZERBAIJAN

The root account was the most targeted username out of all the attacks. Its always a good idea to disable this account when setting up your ssh server. This will slightly decrease the chances of an automated brute force from being successful. Listed below are a few more options you should consider if you wish to protect your server.

- Using host-based tools such as DenyHosts, fail2ban or BlockHosts
- Making sure usernames were not easily guessable
- Using multiple factors of authentication or public keys if possible
- Reduce the amount of public facing servers if possible