refering to this article of Byggvir.
But still new methods of attackers rise around.

I'm watching (well, what else can you do with this?) one, who brute forces my whole cluster of webservers for days now! :(

Here a little piece of the cake of one server:

May 14 00:51:27 server sshd[4029]: Invalid user allistir from 64.83.58.161
May 14 00:51:27
server sshd[4021]: Invalid user allistir from 83.12.137.44
May 14 00:52:56
server sshd[4319]: Invalid user allistir from 70.145.116.241
May 14 00:53:03
server sshd[4346]: Invalid user allistir from 190.8.192.66
May 14 00:55:11
server sshd[4804]: Invalid user aloysius from 88.87.195.14
May 14 00:56:39
server sshd[5109]: Invalid user alphonse from 87.230.19.127
May 14 00:56:46
server sshd[5132]: Invalid user alphonse from 217.220.122.58
May 14 00:57:37
server sshd[5266]: Invalid user alphonse from 212.18.40.143
May 14 00:57:50
server sshd[5301]: Invalid user alphonse from 168.243.236.228
May 14 00:59:03
server sshd[5535]: Invalid user alphonso from 149.156.65.10
May 14 00:59:04
server sshd[5545]: Invalid user alphonso from 62.141.42.54
May 14 01:00:07
server sshd[5939]: Invalid user alphonso from 89.6.154.247
May 14 01:00:19
server sshd[6093]: Invalid user alphonso from 200.171.228.149
May 14 01:01:39
server sshd[6285]: Invalid user alturing from 88.48.111.85
May 14 01:02:39
server sshd[6454]: Invalid user alturing from 69.53.25.154
May 14 01:02:44
server sshd[6465]: Invalid user alturing from 87.126.111.187
May 14 01:04:13
server sshd[6613]: Invalid user amabelle from 62.38.242.231
May 14 01:05:07
server sshd[6766]: Invalid user amabelle from 203.20.62.10
May 14 01:06:34
server sshd[7084]: Invalid user ambassador from 68.112.226.71
May 14 01:06:39
server sshd[7103]: Invalid user ambassador from 67.151.95.69
May 14 01:07:57
server sshd[7329]: Invalid user ambassador from 88.191.29.130
May 14 01:08:06
server sshd[7357]: Invalid user ambassador from 76.160.167.251
May 14 01:09:00
server sshd[7537]: Invalid user ambrosio from 82.127.25.235
May 14 01:09:08
server sshd[7566]: Invalid user ambrosio from 74.238.169.202
May 14 01:10:29
server sshd[8020]: Invalid user ambrosio from 72.237.31.200
May 14 01:10:45
server sshd[8084]: Invalid user ambrosio from 80.39.105.189
May 14 01:11:31
server sshd[8255]: Invalid user ambrosius from 69.53.25.154
May 14 01:11:37
server sshd[8282]: Invalid user ambrosius from 209.254.234.18
May 14 01:13:00
server sshd[8606]: Invalid user ambrosius from 217.7.232.220
May 14 01:13:04
server sshd[8621]: Invalid user ambrosius from 168.243.236.228
May 14 01:14:00
server sshd[8838]: Invalid user ammamaria from 200.126.119.91
May 14 01:14:04
server sshd[8863]: Invalid user ammamaria from 217.7.233.155
May 14 01:15:27
server sshd[9273]: Invalid user ammamaria from 213.94.214.50
May 14 01:15:35
server sshd[9301]: Invalid user ammamaria from 76.160.167.251
May 14 01:17:03
server sshd[9636]: Invalid user anabella from 69.15.172.22
May 14 01:17:06
server sshd[9645]: Invalid user anabella from 168.243.236.228
May 14 01:18:03
server sshd[9872]: Invalid user anabella from 81.140.3.90
May 14 01:18:07
server sshd[9890]: Invalid user anabella from 164.77.145.60
May 14 01:19:22
server sshd[10201]: Invalid user anabelle from 85.92.138.60
May 14 01:19:22
server sshd[10196]: Invalid user anabelle from 217.16.114.87
May 14 01:20:29
server sshd[10603]: Invalid user anabelle from 69.60.118.191
May 14 01:22:07
server sshd[10994]: Invalid user analiese from 200.150.13.171
May 14 01:22:54
server sshd[11174]: Invalid user analiese from 88.247.180.216
May 14 01:23:00
server sshd[11196]: Invalid user analiese from 195.120.101.75
May 14 01:24:23
server sshd[11561]: Invalid user anallese from 217.160.20.154
May 14 01:24:36
server sshd[11619]: Invalid user anallese from 66.251.14.143
May 14 01:25:26
server sshd[11872]: Invalid user anallese from 211.115.112.45
May 14 01:25:58
server sshd[11974]: Invalid user anallese from 209.254.234.18
May 14 01:26:58
server sshd[12261]: Invalid user anallise from 87.28.13.76
May 14 01:28:16
server sshd[12525]: Invalid user anallise from 85.25.139.12
May 14 01:28:40
server sshd[12597]: Invalid user anallise from 122.249.20.112
May 14 01:31:35
server sshd[13421]: Invalid user spiel from 85.219.222.6
May 14 01:32:52
server sshd[13671]: Invalid user spiel from 71.129.151.193
May 14 01:33:45
server sshd[13853]: Invalid user admin5 from 201.224.224.37
May 14 01:33:47
server sshd[13864]: Invalid user admin5 from 64.238.127.90
May 14 01:35:05
server sshd[14180]: Invalid user admin5 from 81.5.160.149
May 14 01:35:06
server sshd[14198]: Invalid user admin5 from 82.127.50.9
May 14 01:36:06
server sshd[14423]: Invalid user orant from 88.103.123.217
May 14 01:36:10
server sshd[14433]: Invalid user orant from 200.43.219.134
May 14 01:37:27
server sshd[14719]: Invalid user orant from 82.106.69.157
May 14 01:38:55
server sshd[15037]: Invalid user albrecht from 193.251.186.239
May 14 01:38:56
server sshd[15044]: Invalid user albrecht from 217.126.31.206
May 14 01:39:42
server sshd[15215]: Invalid user albrecht from 212.80.237.58
May 14 01:40:15
server sshd[15481]: Invalid user albrecht from 196.212.26.82
May 14 01:41:06
server sshd[15683]: Invalid user appen from 83.15.64.221
May 14 01:41:27
server sshd[15744]: Invalid user appen from 200.126.119.91
May 14 01:42:05
server sshd[15846]: Invalid user appen from 84.202.156.20
May 14 01:42:13
server sshd[15865]: Invalid user appen from 69.15.172.22
May 14 01:43:24
server sshd[16085]: Invalid user bache from 217.173.42.51
May 14 01:43:32
server sshd[16114]: Invalid user bache from 217.159.148.94
May 14 01:44:33
server sshd[16310]: Invalid user bache from 212.18.40.143
May 14 01:45:55
server sshd[16619]: Invalid user bartloff from 207.47.162.126
May 14 01:46:09
server sshd[16676]: Invalid user bartloff from 200.21.231.45
May 14 01:46:51
server sshd[16739]: Invalid user bartloff from 217.126.31.206
May 14 01:46:57
server sshd[16754]: Invalid user bartloff from 67.151.95.69
May 14 01:48:12
server sshd[16959]: Invalid user bethke from 87.139.20.244
May 14 01:48:26
server sshd[16982]: Invalid user bethke from 62.118.210.94
May 14 01:49:37
server sshd[17169]: Invalid user bethke from 213.41.176.229
May 14 01:49:42
server sshd[17184]: Invalid user bethke from 81.115.35.60
May 14 01:50:49
server sshd[17492]: Invalid user boback from 201.47.43.70
May 14 01:52:20
server sshd[17679]: Invalid user boback from 221.8.255.134
May 14 01:52:26
server sshd[17702]: Invalid user boback from 217.86.172.186

The problem is: there is no IP to block within your firewall! (quite useless)
The hit-rate is quite low (you see a log excerpt of one hour, and each IP is overall used 1-4 times a day!
(quite a nice huge bot-net ;-) )

The point is, I was curious for days now, since "Logwatch" reportet pages over pages of failed SSH logins, but noone trapped into my iptables script (10+ probes at a high hit rate)!

so, a simple grep "Invalid user" /var/log/messages showed, same username in probe + different ip; waitstates between requests vary, and user names aren't used that often ...

Those guys are annoying :(

Edit:

they seem to walk through a database.
The same user names occur on different hosts at similar times, but the bigger server seems to be detected, it gets more requests:

grep "Invalid user" /var/log/messages|grep fuhrhop
May 14 02:23:12 s1 sshd[21841]: Invalid user fuhrhop from 200.209.6.130
May 14 02:23:15 s1 sshd[21851]: Invalid user fuhrhop from 165.228.98.64
May 14 02:23:46 s2 sshd[15418]: Invalid user fuhrhop from 67.71.212.50
May 14 02:23:57 s1 sshd[21990]: Invalid user fuhrhop from 62.2.211.46
May 14 02:24:06 s1 sshd[22014]: Invalid user fuhrhop from 200.67.193.252

grep "Invalid user" /var/log/messages|grep boback
May 14 01:50:49 s1 sshd[17492]: Invalid user boback from 201.47.43.70
May 14 01:52:09 s2 sshd[15291]: Invalid user boback from 190.8.192.66
May 14 01:52:20 s1 sshd[17679]: Invalid user boback from 221.8.255.134
May 14 01:52:26 s1 sshd[17702]: Invalid user boback from 217.86.172.186

grep "Invalid user" /var/log/messages|grep friebe
May 14 02:18:11 s1 sshd[21085]: Invalid user friebe from 66.122.59.6
May 14 02:18:44 s2 sshd[15387]: Invalid user friebe from 195.30.95.109
May 14 02:18:55 s1 sshd[21119]: Invalid user friebe from 193.41.235.225
May 14 02:19:02 s1 sshd[21134]: Invalid user friebe from 213.134.152.66

*morons*