Twice a week I receive an email to abuse@mydomain.tld that says:
An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.
Host of attacker: <MYIP> => server.mydomain.tld => mydomain.tld
Responsible email contacts: abuse@mydomain.tld, abuse@ovh.net
Attacked hosts in our Network: 37.228.155.101, 185.39.222.116, 77.75.254.116, 185.39.221.179, 37.228.154.167, 37.228.154.61, 85.158.181.17, 185.39.222.20
Logfile entries (time is MET / GMT+1):
Sat Jun 22 06:51:55 2019: user: vnc service: ssh target: 185.39.221.179 source: <MYIP>
Sat Jun 22 06:48:29 2019: user: mysqldump service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:46:59 2019: user: testftp service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:45:59 2019: user: www-data service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:44:29 2019: user: ubuntu service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:43:29 2019: user: postgres service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:41:59 2019: user: ubuntu service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:40:59 2019: user: dong service: ssh target: 185.39.222.116 source: <MYIP>
Sat Jun 22 06:39:29 2019: user: root service: ssh target: 185.39.222.116 source: <MYIP>
[ ... other 4 IPs ... ]
They are always the same 4 IPs. For SSH authentication I use Google 2 factor, I have root user disabled and only an user allowed. I have also changed che port. This is a VPS by OVH where I have a mail server so I'm a little worried.
