Here are a few entries in my Auth.log from today
I'm wondering why sometimes it reports "POSSIBLE BREAK-IN ATTEMPT!" like in line 3, and other times, like in line 1,2, & 4, it doesn't. Seems like they are all break-in attempts, which I understand is not unusual, hence implementation of fail2ban. I'm just wondering what the difference is.
May 23 00:39:25 mailhost sshd: Failed password for invalid user test from 18.104.22.168 port 49493 ssh2
May 23 02:02:40 mailhost sshd: Failed password for root from 22.214.171.124 port 26427 ssh2
May 23 04:48:27 mailhost sshd: reverse mapping checking getaddrinfo for 126.96.36.199.adsl-pool.jlccptt.net.cn [188.8.131.52] failed - POSSIBLE BREAK-IN ATTEMPT!
May 23 04:48:27 mailhost sshd: Failed password for root from 184.108.40.206 port 39796 ssh2