Here are a few entries in my Auth.log from today
I'm wondering why sometimes it reports "POSSIBLE BREAK-IN ATTEMPT!" like in line 3, and other times, like in line 1,2, & 4, it doesn't. Seems like they are all break-in attempts, which I understand is not unusual, hence implementation of fail2ban. I'm just wondering what the difference is.
May 23 00:39:25 mailhost sshd: Failed password for invalid user test from 220.127.116.11 port 49493 ssh2
May 23 02:02:40 mailhost sshd: Failed password for root from 18.104.22.168 port 26427 ssh2
May 23 04:48:27 mailhost sshd: reverse mapping checking getaddrinfo for 22.214.171.124.adsl-pool.jlccptt.net.cn [126.96.36.199] failed - POSSIBLE BREAK-IN ATTEMPT!
May 23 04:48:27 mailhost sshd: Failed password for root from 188.8.131.52 port 39796 ssh2