I just typed a wrong password for login to ssh @ root.
I went to
/var/log/faillog
But the file is empty ( tho its filesize is: 32 Byte )
Ok in auth.log is spammed this:
reverse mapping checking getaddrinfo for dinamic-tigo186-180-143-166.tigo.com.co [186.180.143.166] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 03:44:22 ns3xxxx9 sshd[7497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.180.143.166 user=root
What's that?
You can (by default) check for these failures in /var/log/auth.log
The first line means that a connection attempt was received from an IP address. The ssh server attemped to reverse-resolve the address and got a hostname (
dinamic-tigo186-180-143-166.tigo.com.co
), but when it attempted to forward-resolve that hostname to get back to the original IP address, it failed. This isn't fatal, it usually means someone else has screwed up their DNS, but ssh lets you know that that log entry has failed a basic can-I-be-relied-on test.The second line means someone from the same IP address tried to ssh in as root, and failed.
If you get too many of the second kind of entry and want to make things harder for people, I wrote a piece on techniques for dealing with automated ssh password guessing that may interest you, though it doesn't cover fail2ban and similar technologies (because I don't like them).