If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access.
Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (
http://ossec.net), which does md5summing in the background:
OSSEC HIDS Notification.
2011
Aug 25 07:25:59
Received From: (013hornet) 192.168.224.13->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/sudoers'
Size changed from '552' to '692'
Old md5sum was: 'fc78e5599202f204e48df73a15e81533'
New md5sum is : '377364efbaefe7138d3fe4081d98b592'
Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
New sha1sum is : '6bcc831d
9407626328651b68dc73763472b11374'
but also watches your logs for events:
OSSEC HIDS Notification.
2011
Aug 25 06:43:57
Received From: (056worf) 192.168.224.56->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
Portion of the log(s):
Aug 25 06:43:56 worf su[9338]: + ??? root:nobody
Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service.
Regards,
--b