Update - Apparently it was about May of this year when there was a large surge in ssh password attacks. I believe that my computer became a target sometime after that. Here are some good articles reporting on the situation:
“Brute-Force SSH Server Attacks Surge” by InformationWeek
“Brute-force SSH attacks surge by SC Magazine
This may not be news to many of you, but my new home development machine is under attack! This isn’t your typical script kiddie HTTP attack, but rather a full-blown SSHD password guessing attack. Unfortunately, I did not take screenshots of everything as I detected the attack (which has been going on for about two weeks now) but I do have a few screenshots to help describe the timeline of events:
1 - I opened process explorer (an excellent replacement for the Windows Task Manager) to investigate my current cpu usage and running processes. The screenshot above doesn’t show it because I didn’t take a screenshot at the time, but what drew my attention to a possible attack was multiple sshd.exe processes appearing and then disappearing (brightly colored in red to indicate that the process was marked for destruction). My immediate instinct was that somebody was making connections and attempting to guess a password!
2 - I then instinctively (i.e., immediately and as fast as I could) opened a command prompt and typed the command netstat -a which shows the list of active TCP connections. Sure enough, there was a number of connections to static-217-133-194-98.clienti.tiscali.it
3 - Next I decided to see if the event viewer had recorded any activity. Wow! Over 30,000 events relating to sshd activity. The screenshot above shows the very first event recording a break-in attempt. On the evening of November 25, I switched my hardware firewall to redirect all port 22 SSH requests to my new computer. The next morning at 11:55:19 AM, the first attack commenced and proceeded to send a new username/password login attempt every 8 seconds for just over 1.5 hours ending at 1:19:19 PM. The attack sequence generated 2489 entries in the event viewer. You can see that the entry records a failed password guess for non-existent user root. The attacking computer then tried a different password before switching to a new user account ftp. Again, this is a non-existent user account. Then the user tried a second time with this user account before switching to another account: sales.