When looking in your Cerberus log file, you may notice thousands of connection attempts to your server from usernames such as "root" "admin" and other account names you did not create.
This is almost certainly a bot on the Internet probing your server. Any server that's accessible from the Internet, and on well-known ports, will get many probing attempts from machines. You will probably see attempts using common account names like root and admin quite frequently.
There are millions of automated bots scouring for SFTP servers, and when they find one they try to guess common usernames (root) and passwords to gain access to your server.
You should enable IP auto-blocking from the Auto IP Blocking page of the IP Manager. When Auto-Blocking is enabled, a failed attempt is logged whenever a user enters an incorrect password or tries to login with an invalid username. The user that continually fails to log into the server will be blocked from trying after a certain number of failed attempts.
For more information on using the IP manager please visit the following link: