Steven M. Bellovin wrote:

> This is not correct.  There are exploits in the wild that try 
> password-guessing attacks via ssh.  In fact, the attack is quite common.

Are you sure these are *exploits* that attempt password guessing and
not just scanning bots that try a (rather short) wordlist of passwords
on a selected list of usernames?

#6 in my post addresses this issue.

And what added value would anyone gain from having the failed root
logins separated from the rest of the failed logins in that case? If
an admin is looking at the logs, you'd expect her to be (a) smart to
not have a weak root password, and (b) clued to understand that if
you get failed login attempts from a remote host to more than one
account it's probably just a scan, and the origin should be blocked.

This doesn't change the fact that there is no justification to have
failed root logins separated from the rest of the failed logins.

-e.

-- 
Elad Efrat
PGP Key ID: 0x666EB914