gtu2003@alice.it writes:

>In my /var/log/messages I have a lot (6000+) of:

>Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
>Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
>Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
>Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
>Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
>Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
>Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
>Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
>Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
>Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
>Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92

There are ssh password attacks on your system-- trying to see if any of
your users ( or any users) have weak passwords.
Ban this IP address from your system by placing the address into a line
like

sshd: 72.3.243.92 :deny

Do that before any sshd line giving universal permission, and after a line
giving special sites permission.

sshd: 199.99.99.99 199.222.111. :allow
sshd: 72.3.243.92 :deny
sshd: ALL :allow

This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
This is to make sure that noone accidentally from your special list ends up
in the deny line ( it is always the first line which matches which applies)


>what is it? I need to write to something like abuse@72.3.243.92 ?

You can try. It probably will not do any good. I now have 140 IP addresses
in my hosts.allow file who are banned from my site for behaviour like this.