After installing BFD a short time ago on my new server, I get at least one email per day telling me someone's been trying to get into the server. I never knew so many people were doing this, but I'm sure glad I have BFD installed! :o

So I'm wondering, is there any point in reporting this stuff? If I look up the person's IP address using whois.sc or whatever I can get contact addresses and so on for the ISPs ... but since most of these are coming from China and that area, would it do any good to email the ISPs? Or even to contact ISPs for the ones that are in North America?

I just ignore them.

bfd is overrated in most password attacks. bfd operates on a 8-10 minute cron, so they can try all they want for a few mins before they get booted. If you have an uber dumb password like 'test', they get in. If you have an even halfway good password, it would take way, way longer than 10 mins to brute force into your box. Which is why the cron is set like that by default.

The vast majority of password attacks are mindlessly simple and last only a few seconds. Even then, bfd often screws up the IP entries into deny-hosts.rules, so that the entries are sometimes ineffective.

It is still good and I use it. Requires little resources and is one more layer in your security blanket.

change your ssh from 22 to some other high level port.... That will eliminate a bunch of attempts.

If you see any of these attempts come from Planet IP's please report it to abuse@theplanet.com.

If I change the SSH port as suggested by Bruceleeon to some other port, do I just notify SM through an orbit ticket that the port has been changed?

Add it to the comment box inside your SM's password database. However, specify the port number when you need SM to look into an issue, they always miss the non-root login and the non-22 ssh port for some reasons. =)