Brute-Force Attack detected: Am I paranoid or are they out to get me?

[netstepinc]

After a year in Plesk Purgatory I have returned to the land of DA.
In setting up my new instance of 1.43 I thought I'd try out some of the security features.

• Parse service logs for brute force attacks: Yes
• Notify Admins after an IP has 8 login failures on any account.
• Notify Admins after a User has 8 login failures from any IP.

I've received about 100 brute-force attack notifications since DA came online about 48 hours ago.

Is this typical probing or is this an actual attack?

For example:

000000104 Brute-Force Attack detected in service log on User(s) idsinst Today at 13:21
000000103 Brute-Force Attack detected in service log on User(s) oracle Today at 13:19
000000102 Brute-Force Attack detected in service log on User(s) root Today at 13:16
000000101 Brute-Force Attack detected in service log from IP(s) 222.255.29.52 Today at 13:15
000000100 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 12:52
000000099 Brute-Force Attack detected in service log on User(s) idsinst Today at 12:21
000000098 Brute-Force Attack detected in service log on User(s) oracle Today at 12:19
000000097 Brute-Force Attack detected in service log on User(s) root Today at 12:16
000000096 Brute-Force Attack detected in service log from IP(s) 222.255.29.52 Today at 12:15
000000095 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 11:52
000000094 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 10:52
000000093 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 09:52
000000092 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 08:52
000000091 Brute-Force Attack detected in service log from IP(s) 87.106.66.248 Today at 07:52
000000090 Brute-Force Attack detected in service log from IP(s) 211.154.213.119 Today at 07:29
000000089 Brute-Force Attack detected in service log on User(s) ftpuser Today at 04:06
000000088 Brute-Force Attack detected in service log on User(s) guest Today at 04:01
000000087 Brute-Force Attack detected in service log on User(s) admin Today at 03:59
000000086 Brute-Force Attack detected in service log on User(s) root Today at 03:58
000000085 Brute-Force Attack detected in service log from IP(s) 211.154.213.119 Today at 03:56
000000084 Brute-Force Attack detected in service log on User(s) oracle, test Today at 03:54
000000083 Brute-Force Attack detected in service log on User(s) tomcat Today at 03:52
000000082 Brute-Force Attack detected in service log from IP(s) 218.61.139.114 on User(s) admin, root Today at 01:56

 

[chatwizrd]

Do not leave ssh on a standard port.

Install a more advanced firewall such as csf or use bfm with a backend script to iptables to block abusers.

http://help.directadmin.com/item.php?id=380
http://www.directadmin.com/features.php?id=1229

 

[netstepinc]

Roger that.

I actually committed to a hardware firewall at Rackspace too.
As the IPs come in I'm black listing them, but I get the impression this could be quite a time consuming hobby.

 

[nobaloney]

Just because you're paranoid doesn't mean they're not out to get you .

Fifty a day? Not much at all. As mentioned, move SSH to a non-standard port, install CSF (if running Linux), and ignore them. We filter the emails to their own folder, delete them once a week, and only study them if we have a specific problem we're trying to trace.

Jeff