Originally Posted by TSCollins
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?
The problem is today you can't really chase someone down like 10, 15 years ago. Attackers you see are likely bots that just hit random IP addresses that have port 22 open, these are mostly dictionary based attack bots. Real crackers won't be using their connection but layers of connections effectively making their IP address very hard if not impossible to track down.
Forget about chasing these as you won't get very far, attackers can use TOR (onion routing) to pretty much ensure they can't be traced, VPN's (Virtual Private Network) also come to mind, they won't give any information to just anyone, and some of them don't even keep records so there is nothing to show. So any information you get from traceroute, nslookup, whois and the lot of other utilities will not help you, because you have no way to verify if the address you think is connecting to your box is a proxy for others or if it is indeed a direct attack.
What you can do however is harden your ssh config and use blacklisting
1) Generate an RSA/DSA key for SSH but don't make it password less, do not tie this key to anything else but ssh because if you loose this keyfile somehow nothing but ssh is considered compromised and they still need a password to logon.
2) Change the port number, this will reduce the amount of traffic you get for the SSH service because the bots will see that port 22 is closed.
3) Black/White lists, Create safety zones, with known computers you use to login (semi-trusted) and blacklist the ones you don't trust, if you get SSH attempts that are failing with an IP address you don't know then blacklist it.