I'm under attack (sweeps)
A couple of weeks ago I ran lastb on my server, and it came out with nothing. Long story short, Today I ran this:
From what I see there are patterns discernible. A lot of pouncing from not to many different IP's. With roughly 10~20 login attempts per minute, I think my adversary isn't human. They are also originating from different parts of the world, Latin America, Asia, USA...
lastb | wc -l
Now what should I do? They have not broken in yet. And I've been doing some reading on security. I guess I am a bit shocked right now, sweaty palms and everything. But I know, /I know/, this is nothing out of the ordinary. Just some bots finding a filtered ssh port on their sweeps, and now pouncing on the door.
I've read about these things enough, but as this is Real World, not exercise, I want to make sure I understand the basics and take the necessary precautions.
I am behind a hardware firewall, that forwards port 22 to my server
My server runs Slackware 12.1
It disallows protocol 1 and root logins
My accounts have odd names, not guessable by permutation of my personal details (nor are they 'lesbian' or 'playboy' as one of the attackers thought; he'd wish... I don't even shave my beard on most days ;))
My passwords are long and secure
What else can I do? Can I run commands when someone logs in to my machine if that someone isn't me? Is there a better way to deal with this than I have done? Without loosing functionality I mean. Can and how do I set a login delay of ~5 seconds on a failed attempt?
What are signs to look for that someone broke in?
Edit: Is it a generally /bad/ idea to sweep back, run a portscan on the incoming IP's? Can I bet the machines (IP's) used are zombies? Real World is different than reading about it.