Am 08.03.2013 20:51, schrieb Gordon Messmer: > # tail -f /var/log/secure > Mar 8 11:46:54 firewall sshd[27455]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=173-xx-xx-xx-washington.hfc.comcastbusiness.net user=root > Mar 8 11:46:56 firewall sshd[27455]: Failed password for root from > 173.xx.xx.xx port 51437 ssh2 I think I see what's happening now. The machines in question all have password authentication disabled, so they obviously never log "Failed password". If someone tries to log in to an existing user account with password authentication, she gets the message "no supported authentication methods available" or something like that. In that case /var/log/secure does not log a failure message. The only trace of that attempt is a "Received disconnect", like here after the message I cited in my original posting: Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from 61.163.113.72: 11: Bye Bye If I set "UseDNS no" the first message disappears and only the second one remains. So it seems there is no way to identify password bruteforcing attempts on servers which don't accept password authentication in the first place. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130309/cbcc8204/attachment-0005.sig>