I recently started running a personal site on a dedicated server that i've had for some time, but have never actually used. I have never checked it's logs, but now when i do, auth.log is full with random ssh connection attempts from Chinese, Russian, Ukrainian, Azerbeijanian and etc. IPs. I got curious and checked the logs on another server that i recently acquired, and it's the same story there. I've resorted to Draconian measures(i've blocked all Chinese IPs), but one thing keeps bugging me:
How do they pick their targets? And how did they find me? Do they just throw themselves at random IPs? (I think it wouldn't be very useful to try to connect via SSH on port 22 on some random home router, so that doesn't sound logical)
And on a sidenote(maybe too big of a sidenote, but still), is what i did(blocked all traffic except on ports 22, 80, 443 and 8080 + all the IPs that i've caught + all Chinese IPs, and removed root ssh login) enough to combat them or am i still at risk?