How can I combat all of these brute force attacks?

Solution 1:

Like Michael Hampton said, They [TM] do this to everyone. Their scripts have detected an IP address listening on a port and they're throwing usernames and passwords at it to see if anything sticks. This is a map of live attacks.

If the emails bother you, you can instead whitelist allowed login IPs and have it email you when someone logs in from a site that's not on the whitelist.

As for the IP in the screenshot, 0.42.0.0:

The address 0.0.0.0 may only be used as the address of an outgoing packet when a computer is learning which IP address it should use. It is never used as a destination address. Addresses starting with "0." are sometimes used for broadcasts to directly connected devices.

If you see addresses starting with a "0." in logs they are probably in use on your network, which might be as small as a computer connected to a home gateway.

This block was assigned by the IETF, the organization that develops Internet protocols, in the Standard document, RFC 1122, and is further documented in the Best Current Practice document RFC 6890. IANA is listed as the registrant to make it clear that this network is not assigned to any single organization.

These documents can be found at: http://datatracker.ietf.org/doc/rfc1122 http://datatracker.ietf.org/doc/rfc6890

Solution 2:

I'm suprised nobody brought that up but a drastic way to get yourself out of these very common brute force attacks is to set up a port knocking daemon like knockd. Thus, unless the attacker scans your machine with a specific sequence of ports in the correct order, it won't even find an SSH port open. For legitimate users, many SSH clients support this and are able to trigger the correct port sequence before connecting to the ssh server.

But obviously, non trivial authentication with a running fail2ban jail and appropriate find and ban times is sufficient in almost all cases.