Recently, I opened up the SSH port through my firewalls (and redirecting to my server) so I could check on the (http) server while on the road. The first week or two there was nothing different. But now, three or four weeks later, I see lots of this:
Mar 20 08:38:28 localhost sshd[21895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root
Mar 20 08:38:31 localhost sshd[21895]: Failed password for root from 207.210.101.209 port 2854 ssh2
Mar 20 15:38:31 localhost sshd[21896]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:32 localhost unix_chkpwd[21900]: password check failed for user (root)
Mar 20 08:38:32 localhost sshd[21898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root
Mar 20 08:38:34 localhost sshd[21898]: Failed password for root from 207.210.101.209 port 3729 ssh2
Mar 20 15:38:35 localhost sshd[21899]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:36 localhost unix_chkpwd[21903]: password check failed for user (root)
Mar 20 08:38:36 localhost sshd[21901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root
Mar 20 08:38:38 localhost sshd[21901]: Failed password for root from 207.210.101.209 port 4313 ssh2
Mar 20 15:38:38 localhost sshd[21902]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:40 localhost unix_chkpwd[21906]: password check failed for user (root)
Mar 20 08:38:40 localhost sshd[21904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root
Mar 20 08:38:42 localhost sshd[21904]: Failed password for root from 207.210.101.209 port 4869 ssh2
Mar 20 15:38:43 localhost sshd[21905]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:44 localhost unix_chkpwd[21909]: password check failed for user (root)
Mar 20 08:38:44 localhost sshd[21907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root
Mar 20 08:38:46 localhost sshd[21907]: Failed password for root from 207.210.101.209 port 2512 ssh2
Mar 20 15:38:47 localhost sshd[21908]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 15:38:57 localhost sshd[21912]: Connection closed by 207.210.101.209
There are about 1100 lines of these for March 20th, zero for the 19th, and 800 or so for the 18th—all related to the same IP.
What does it mean? What should I do? Why isn't it chronological?
These are script kiddie attempts to get root via ssh on your box. The best way i've found to deal with these is:
There will be newbies chiming in on how setting the port to a different number is security through obscurity. Yes and no. It doesn't make your box any more secure but it will drastically cut down on the number of scripted attempts to crack ssh.
Edit:
Other good things to do are, disable root logins just in case they did guess your root password or disable password authentication altogether and use key based authentication.
A technique called port knocking can be used that allows you to keep your ssh port closed until requested (externally) by you.
Above answers explain why you're getting many authentication attempts to your SSH server.
As to "Why isn't it chronological?", it looks like you may have a problem with your time zone setting. All the logs seem to be sequential, just at different hours (the minutes and seconds line up).
Try running: