Examining log files in detail.
Lets look at your ssh log file for example. Each time someone tries to access your server using ssh they have to enter a user name and password combination to gain access. When they hit enter the server tries to authenticate the information provided, weather or not the attempt is successful a log entry is written. If the attempt is by a hacker what you will see in the logs is something like the log entries listed below.
Above you can see 4 separate hack attempts. Each attempt starts with the date, your server name and the program writing to the log, in this case sshd “May 27 09:58:16 yourserver sshd”. Not all logs follow this pattern exactly, but most are very similar. In the case of ssh there are two lines per log entry and each line begins with the date.
The real clue to this section of the logs reporting hack attempt are the phrases “authentication failure” and “Failed password for root”. All importantly sshd reports that the IP Address is “220.127.116.11” which is the IP Address where the hack attempt is coming from. In other words the IP Address is the numbers assigned to the hackers internet connection. With that information in hand fail2ban can tell Iptables or Shorewall firewalls to block that IP Address from accessing or even connecting to your server for a period of time.
Banning these IP Addresses will reduce the amount of traffic to your website however like with the unruly school students in the example above you really don’t want these visitors because their sole purpose is to do harm to your site or server.