I was looking at my /var/log/auth.log in my personal computer and VPS, and I can see thousands of failed SSH attempts over the past few days. Looking at the attempted logins, I suppose that someone is using a database and trying out common default username/password combinations to attack random IP addresses. I also see that they try this for many different ports.
This approach of attack appears to me to be very very very unlikely to return anything of value. They may as well just try generating bitcoin private keys randomly until they find a wallet with something in it.
Are these ‘hackers’ just playing the lottery and wasting their resources? Or is this a strategy that somehow works reasonably often?
It probably works, it doesn’t take much to scan the internet for an uncofigured or misconfigured server.
You should move your ssh server to another port. Once you do that you won’t see your logs getting spammed by random attempts.
Ok, thanks! I have changed the port and disabled password logins.