Every so often, I walk into my office at home and glance at the console for my file server (the machine on my network that has port 22 forwarded to it) and I see new messages like this:
Sep 13 05:56:34 gogo kernel: Sep 13 05:56:34 gogo sshd[49408]: error: PAM: authentication error for root from 188.190.98.6 Sep 13 05:56:34 gogo kernel: Sep 13 05:56:34 gogo sshd[49409]: error: PAM: authentication error for root from 188.190.98.6 Sep 13 05:**:** gogo kernel: Sep 13 05:**:** gogo last message repeated 147 times Sep 13 05:59:41 gogo kernel: Sep 13 05:59:41 gogo sshd[49611]: error: PAM: authentication error for root from 188.190.98.6
This is the big reason why you should never allow people to ssh into the root account of a machine directly accessible via the internet: people will try to break in.
I also amuse myself by adding the IP address to my firewall’s block list, but then, I’m easily amused. I know getting a new IP address is trivial, but I want people who are trying to ssh into root on my file server to have to take that trivial step.