My FreeBSD server at home is periodically subjected to distributed hack attempts (which inevitable fail for various reasons). It is not unusual to see these involve over 200 unique IP addresses in a single day. I find these attempts to be little more than annoying, and the distributed nature seems to make it rather meaningless to report them or do much of anything else proactive or reactive for them.
However I have been wondering how
my poor little server at home ever came to be subjected to this to begin with. I host only my own web pages, and thy are so insignificant that the main page on said server isn't even indexed by google.
Of course my server could be accessed over ssh via two different methods of calling by address - either by name or by numeric address. The name is rather obscure (via dyndns.org) so the odds of someone guessing it at random are rather small. I suspect it is more likely that someone did a scan on port 22 over a great range of IP addresses and found mine to be open.
Is there any way to confirm this? I would like sshd, if possible, to tell me who accesses my server via the command
as opposed to
Does the ssh daemon know the difference? Is there any way for it to know the difference and log it somewhere? I don't even care what password is provided as the distributed hacks have so far always provided only invalid usernames or usernames that are not allowed to log in via ssh anyways.