So like a good admin I graph various hosts of mine and recently looking through one of the graphs sets I noticed this.

The hourly spikes are just webmin / virtualmin doing bandwidth calcs and stats generation, other than that it’s not a loaded box, so it was suprising to see an extended period of load.

A quick hunt through the logs shows that it appears to be due to some infected system trying to brute force SSH login.

I usually secure SSH in a number of ways:

1. SSH Version 2 only
2. Root logins are disabled
3. Only specific users can login
4. Logins via ssh keys only

So now I’ve added to the list and set the SSH Daemon to listen on a port other than 22, it stops the door knockers and I don’t have to run any other active log watching or monitoring software.