检查日志是个好的习惯，在linux里也有日志文件，是在/var/log/message 和/var/log/secure两个文件，下面检查中，发现有人企图用root 进行ssh登陆，但是密码不正确

[root@localhost log]# pwd
/var/log
[root@localhost log]# more messages
Nov  4 17:08:03 localhost syslogd 1.4.1: restart.
Nov  4 17:25:53 localhost sshd(pam_unix)[9897]: session opened for user root by root(uid=0)
Nov  4 17:28:09 localhost sshd: sshd -TERM succeeded
Nov  4 17:28:09 localhost sshd:  succeeded
Nov  5 15:20:24 localhost sshd(pam_unix)[10474]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.20.100.110  u
ser=root
Nov  5 15:20:32 localhost sshd(pam_unix)[10476]: session opened for user root by root(uid=0)
[root@localhost log]# more secure
Nov  4 17:25:52 localhost sshd[9895]: Address 10.20.100.110 maps to localhost, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!
Nov  4 17:25:52 localhost sshd[9895]: Accepted password for root from ::ffff:10.20.100.110 port 2031 ssh2
Nov  4 17:28:09 localhost sshd[5226]: Received signal 15; terminating.
Nov  4 17:28:09 localhost sshd[9943]: Server listening on :: port 2501.
Nov  4 17:28:09 localhost sshd[9943]: error: Bind to port 2501 on 0.0.0.0 failed: Address already in use.
Nov  5 15:20:24 localhost sshd[10474]: Address 10.20.100.110 maps to localhost, but this does not map back to the address - POSSIBLE
 BREAKIN ATTEMPT!
Nov  5 15:20:26 localhost sshd[10474]: Failed password for root from ::ffff:10.20.100.110 port 2779 ssh2
Nov  5 15:20:32 localhost sshd[10474]: Accepted password for root from ::ffff:10.20.100.110 port 2779 ssh2
[root@localhost log]#