brute force warnings with same pattern

Hi,

i have noticed that the brute force warnings that i receive all have the same exact entries. for example:
- Log events from /var/log/secure:
Aug 29 06:39:25 gobo sshd[16388]: Illegal user test from 67.154.250.243
Aug 29 06:39:28 gobo sshd[16388]: Failed password for illegal user test from 67.154.250.243 port 60101 ssh2
Aug 29 06:39:29 gobo sshd[16390]: Illegal user guest from 67.154.250.243
Aug 29 06:39:32 gobo sshd[16390]: Failed password for illegal user guest from 67.154.250.243 port 60181 ssh2
Aug 29 06:39:33 gobo sshd[16392]: Illegal user admin from 67.154.250.243
Aug 29 06:39:35 gobo sshd[16392]: Failed password for illegal user admin from 67.154.250.243 port 60273 ssh2
Aug 29 06:39:37 gobo sshd[16394]: Illegal user admin from 67.154.250.243
Aug 29 06:39:39 gobo sshd[16394]: Failed password for illegal user admin from 67.154.250.243 port 60374 ssh2
Aug 29 06:39:42 gobo sshd[16396]: Illegal user user from 67.154.250.243
Aug 29 06:39:45 gobo sshd[16396]: Failed password for illegal user user from 67.154.250.243 port 60477 ssh2
Aug 29 06:39:48 gobo sshd[16398]: Failed password for root from 67.154.250.243 port 60575 ssh2
Aug 29 06:39:54 gobo sshd[16400]: Failed password for root from 67.154.250.243 port 60657 ssh2
Aug 29 06:39:57 gobo sshd[16402]: Failed password for root from 67.154.250.243 port 60768 ssh2
Aug 29 06:39:58 gobo sshd[16404]: Illegal user test from 67.154.250.243
Aug 29 06:40:01 gobo sshd[16404]: Failed password for illegal user test from 67.154.250.243 port 60867 ssh2
----

- Log events from /var/log/secure:
Aug 29 14:26:20 gobo sshd[16572]: Illegal user test from 210.101.248.112
Aug 29 14:26:22 gobo sshd[16572]: Failed password for illegal user test from 210.101.248.112 port 40545 ssh2
Aug 29 14:26:24 gobo sshd[16578]: Illegal user guest from 210.101.248.112
Aug 29 14:26:26 gobo sshd[16578]: Failed password for illegal user guest from 210.101.248.112 port 40663 ssh2
Aug 29 14:26:28 gobo sshd[16580]: Illegal user admin from 210.101.248.112
Aug 29 14:26:30 gobo sshd[16580]: Failed password for illegal user admin from 210.101.248.112 port 40786 ssh2
Aug 29 14:26:32 gobo sshd[16582]: Illegal user admin from 210.101.248.112
Aug 29 14:26:34 gobo sshd[16582]: Failed password for illegal user admin from 210.101.248.112 port 40889 ssh2
Aug 29 14:26:36 gobo sshd[16584]: Illegal user user from 210.101.248.112
Aug 29 14:26:38 gobo sshd[16584]: Failed password for illegal user user from 210.101.248.112 port 40993 ssh2
Aug 29 14:26:42 gobo sshd[16586]: Failed password for root from 210.101.248.112 port 41095 ssh2
Aug 29 14:26:46 gobo sshd[16588]: Failed password for root from 210.101.248.112 port 41195 ssh2
Aug 29 14:26:50 gobo sshd[16590]: Failed password for root from 210.101.248.112 port 41294 ssh2
Aug 29 14:26:52 gobo sshd[16592]: Illegal user test from 210.101.248.112
Aug 29 14:26:54 gobo sshd[16592]: Failed password for illegal user test from 210.101.248.112 port 41397 ssh2
----


and there are many more aswell. why is this happening? (not the attacks, the actual entries.)

J

 

 

 

 

Top