Yesterday afternoon I started to receive notification e-mails from my server's firewall's Brute Force Detector to say that the server was being attacked, it blocked the IPs in question, however every few minutes another attack would occur using a different IP address. The attacks appeared to be trying to log in as root aswell as a number of other strange usernames. The firewall would block one IP, and then another would replace it.
It has now been almost 24 hours, and this is still happening - sometimes several attacks a minute. This morning I had over 1000 brute force detection warning emails in my inbox. The attacks are still going on as I write this.
My server seems to be coping ok despite this, albeit with a slightly higher server load than normal - but it's rather worrying all the same.
Should I report this the server provider ? Is there anything I can do, or they can do for that matter ? The IPs are different every time from different ranges, do i just have to wait it out until whoever it is gives up and stops ?
Ok I do not know what type of firewall you are using so what I am about to suggest might not work for you.
What I do when creating firewalls is to stop anyone from being able to connect directly to my firewalls. E.G the first couple of rules allows ssh connections from home, work and perhaps another location. Then I drop all other connections to the external interface of the firewall.
That way an external connection cannot even get up a login prompt but I can still login from fixed remote locations. Job done.
This does kind of assume you have additional public IP address space pointing at your firewall to enable you to host stuff behind your firewall? If that is true after the drop you can allow to the rest of your address space as you see fit. with a nice any any drop to clean up the connetcions as the final rule.