Or, they could get hit by script kiddies that keep looking for old vulnerabilities in some daemon they ran as root.
$ cat /var/log/authlog
...
Sep 13 16:57:31 lucien sshd[16283]: Invalid user webmaster from 218.234.21.151
Sep 13 16:57:31 lucien sshd[290]: input_userauth_request: invalid user webmaster
Sep 13 16:57:31 lucien sshd[16283]: Failed password for invalid user webmaster from 218.234.21.151 port 56992 ssh2
Sep 13 16:57:31 lucien sshd[290]: Received disconnect from 218.234.21.151: 11: Bye Bye
Sep 13 16:57:34 lucien sshd[12747]: User root from 218.234.21.151 not allowed because not listed in AllowUsers
Sep 13 16:57:34 lucien sshd[2144]: input_userauth_request: invalid user root
Sep 13 16:57:34 lucien sshd[12747]: Failed password for invalid user root from 218.234.21.151 port 57162 ssh2
Sep 13 16:57:34 lucien sshd[2144]: Received disconnect from 218.234.21.151: 11: Bye Bye
Sep 13 16:57:36 lucien sshd[20586]: Invalid user ftp from 218.234.21.151
Sep 13 16:57:36 lucien sshd[3604]: input_userauth_request: invalid user ftp
Sep 13 16:57:36 lucien sshd[20586]: Failed password for invalid user ftp from 218.234.21.151 port 57344 ssh2
Sep 13 16:57:37 lucien sshd[3604]: Received disconnect from 218.234.21.151: 11: Bye Bye
Sep 13 16:57:39 lucien sshd[14276]: Invalid user sales from 218.234.21.151
Sep 13 16:57:39 lucien sshd[25572]: input_userauth_request: invalid user sales
Sep 13 16:57:39 lucien sshd[14276]: Failed password for invalid user sales from 218.234.21.151 port 57514 ssh2
Sep 13 16:57:40 lucien sshd[25572]: Received disconnect from 218.234.21.151: 11: Bye Bye
...
(My firewall blocks these losers after two minutes and I still have endless logs like this.)
Or, they could get hit by script kiddies that keep looking for old vulnerabilities in some daemon they ran as root.
(My firewall blocks these losers after two minutes and I still have endless logs like this.)Learning the first way sucks less.