Here are a few entries in my Auth.log from today
Code:
May 23 00:39:25 mailhost sshd[15491]: Failed password for invalid user test from 85.72.245.159 port 49493 ssh2
May 23 02:02:40 mailhost sshd[15832]: Failed password for root from 116.10.191.206 port 26427 ssh2
May 23 04:48:27 mailhost sshd[16658]: reverse mapping checking getaddrinfo for 160.192.163.222.adsl-pool.jlccptt.net.cn [222.163.192.160] failed - POSSIBLE BREAK-IN ATTEMPT!
May 23 04:48:27 mailhost sshd[16650]: Failed password for root from 222.163.192.160 port 39796 ssh2
I'm wondering why sometimes it reports "POSSIBLE BREAK-IN ATTEMPT!" like in line 3, and other times, like in line 1,2, & 4, it doesn't. Seems like they are all break-in attempts, which I understand is not unusual, hence implementation of fail2ban. I'm just wondering what the difference is.
Bookmarks