Just some notes for system administrators
1. Checking logs for previous break-in attempts.
2. Checking server for existence of rootkits (used to hack and change programs on server without making them detectable to the admin) using multiple tools.
3. Create an alternate account (userKabacha) or (userDRM) which will act as the root account.
4. Changing the root login shell so even if a hacker breaks in using SSH brute force attack, they will be immediately kicked off the server. If the shell for root login is changed then everyone will need to login using an alternative account. If someone tries to login using the root account, it will be considered a break-in attempt.
5. I recommend installation of BFD (Brute Force Detection) software. This software will look for break-in attempts and if ssh login failure attempts exceed the specified threshold, the IP address of the hacker will be blocked (added to firewall).
6. Another software I recommend is SIM (System Integrity Monitor). Using SIM, we can specify load thresholds for "critial" (typically 45) and "warning" (typically 25). Once the server load crosses these thresholds, SIM will step in to stop and restart the needed services.
7. We can also setup a separate log file which will keep track of each successful root login attempt.
8. If you do not get a lot of traffic from countries like Taiwan, Japan, China, South Korea, Nigeria and so forth, I recommend that we block all IPs from these countries for any TCP traffic.
9. In addition there may be other tools and steps that we may recommend upon analysis of your server.
Linux firewall Linux TCP Brute force Firewall