So this computer is reachable on port 22 (from everywhere).
Since messages indicating failed login attempts (usernames like root, cgi, bash, production...) have been flooding /var/log/auth.log, I have disabled password authentication from external IPs (using public key authentication only).
And this works, when trying to ssh into that machine from an external IP (without key) I don't even get the username prompt:
Permission denied (publickey).
So how do all those fake usernames still end up in auth.log?
1 Aug 4 17:02:48 host sshd[17190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.116.204.99 user=root 2 Aug 4 17:02:48 host sshd[17190]: pam_winbind(sshd:auth): getting password (0x00000388) 3 Aug 4 17:02:48 host sshd[17190]: pam_winbind(sshd:auth): pam_get_item returned a password 4 Aug 4 17:02:48 host sshd[17190]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error mess 4 age was: No such user
5 Aug 4 17:02:50 host sshd[17190]: Failed password for root from 217.116.204.99 port 40054 ssh2
6 Aug 4 17:02:50 host sshd[17190]: Received disconnect from 217.116.204.99: 11: Bye Bye [preauth]
...
513322 Apr 7 19:45:40 host sshd[15986]: input_userauth_request: invalid user cgi [preauth]
...