Abuse Desks

Mike Hammett said:

IMO, the answer is balance.
- Handful of SSH connection attempts against a server. Nobody got in,
security hardening did it's job. I don't think that is worth reporting. -
Constant brute force SSH attempts from a given source over an extended period
of time, or a clear pattern of probing, yes, report that.

The bad guys have already gamed that system. If you have a zillion bots, you
can have each bot try a different name/password on a large batch of IP
Addresses. A victim only sees one try from each bot.

The daily logwatch reports that land in my mailbox are full of ssh attempts
that end with ": 1 Time".

Centralized logging and run the analysis on the aggregate. You’re more likely to catch them that way. No, it isn’t guaranteed, but it’s easier.