Thanks for the help. I completely missed that error.
This guy is persistent. After I cut off 220.232.152.137 we had intrusion attempts from 216.107.171.10. After I cut off that one then we had attempts from 69.80.235.135. Since blocking that network we have had no more attempts recorded.
When I first detected this attempt I thought that my iptable ssh throttle rules were somehow defective:
15 DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: CHECK seconds: 15 name: THROTTLE side: source 16 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: THROTTLE side: source
however, more careful consideration of the log entries showed that the intruder was connecting every 23-24 seconds, which is outside the throttle threshold of 15 seconds. I am still concerned about any brute force attempt to discover the root password but, given no more than four connections per minute is possible, just how concerned should I be?
It is evident that this attacker had more than one netblock available. It is conceivable that, instead of serially attacking us, they could just have easily attempted multiple simultaneous connections from all of their available IP addresses. This would completely defeat the current throttle rules. Should I also throttle the total number of new connections from all IPs?