I've got a CentOS 5.x box running on a VPS platform. My VPS host misinterpreted a support inquiry I had about connectivity and effectively flushed some iptables rules. This resulted in ssh listening on the standard port and acknowledging port connectivity tests. Annoying.

The good news is that I require SSH Authorized keys. As far as I can tell, I don't think there was any successful breach. I'm still very concerned about what I'm seeing in /var/log/secure though:

Apr 10 06:39:27 echo sshd[22297]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:27 echo sshd[22298]: Received disconnect from 11: Bye Bye
Apr 10 06:39:31 echo sshd[22324]: Invalid user edu1 from
Apr 10 06:39:31 echo sshd[22324]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:31 echo sshd[22330]: input_userauth_request: invalid user edu1
Apr 10 13:39:31 echo sshd[22330]: Received disconnect from 11: Bye Bye
Apr 10 06:39:35 echo sshd[22336]: Invalid user test1 from
Apr 10 06:39:35 echo sshd[22336]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:35 echo sshd[22338]: input_userauth_request: invalid user test1
Apr 10 13:39:35 echo sshd[22338]: Received disconnect from 11: Bye Bye
Apr 10 06:39:39 echo sshd[22377]: Invalid user test from
Apr 10 06:39:39 echo sshd[22377]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:39 echo sshd[22378]: input_userauth_request: invalid user test
Apr 10 13:39:39 echo sshd[22378]: Received disconnect from 11: Bye Bye

What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean? That it was successful? Or that it didn't like the IP the request was coming from?

6 Answers 6


Unfortunately this in now a very common occurrence. It is an automated attack on SSH which is using 'common' usernames to try and break into your system. The message means exactly what it says, it does not mean that you have been hacked, just that someone tried.

  • Thanks Lain. That makes me feel better. I'm really glad I require authorized keys for ssh. =)
    – Mike B
    Commented Apr 17, 2011 at 18:31
  • 29
    "reverse mapping checking getaddrinfo for" is more about source IP/hostname crafted. The same crafted traffic is trying bad user names, but bad user names doesn't generate the "POSSIBLE BREAK-IN ATTEMPT" message.
    – poisonbit
    Commented Apr 17, 2011 at 18:34
  • 12
    @MikeyB: You may want to look at adding fail2ban to you system. THis can be configured to block the IP addresses of these attackers automatically.
    – user9517
    Commented Apr 17, 2011 at 18:35
  • 9
    Note that 'reverse mapping failed' can simply mean that the user's ISP hasn't configured reverse DNS correctly, which is quite common. See @Gaia 's answer. Commented Oct 9, 2013 at 13:52
  • 3
    This is inaccurate, it just means the the reverse DNS does not match the hostname the client sent to identify themselves. It is likely flagged since that might have been a break in attempt for people using .rhosts or .shosts authentication (I've never seen that used). Scans happens, but that is not what this message is about (although any connection can trigger it) (For scans, the failed auth / unknown user messages are better to look for) Commented Nov 16, 2018 at 7:38

The "POSSIBLE BREAK-IN ATTEMPT" part specifically, is related to the "reverse mapping checking getaddrinfo failed" part. It means the person who was connecting didn't have forward and reverse DNS configured correctly. This is quite common, especially for ISP connections, which is where the "attack" was probably coming from.

Unrelated the the "POSSIBLE BREAK-IN ATTEMPT" message, the person is actually trying to break in using common user names and passwords. Do not use simple passwords for SSH; in fact the best idea to to disable passwords altogether and use SSH keys only.

  • 1
    If it's generated by a (valid) connection via an ISP, you can add an entry to your /etc/hosts file to get rid of this reverse mapping error. Obviously you'd only do this if you knew that the error is benign and want to clean up your logs. Commented Aug 10, 2012 at 9:22

"What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean?"

This means that the netblock owner did not update the PTR record for a static IP within their range, and said PTR record is outdated, OR an ISP does not setup proper reverse records for its dynamic IP customers. This is very common, even for large ISPs.

You end up getting the msg in your log because someone coming from an IP with improper PTR records (due to one of the reasons above) is trying to use common usernames to try SSH into your server (possibly bruteforce attack, or maybe an honest mistake).

To disable these alerts, you have two choices:

1) If you have a static IP, add your reverse mapping to your /etc/hosts file (see more info here): server.remotehost.com

2) If you have a dynamic IP and really want to make those alerts go away, comment out the "GSSAPIAuthentication yes" in your /etc/ssh/sshd_config file.

  • 2
    commenting GSSAPIAuthentication does not help in my case (
    – SET
    Commented Jan 3, 2014 at 0:57
  • UseDNS no is probably the better setting to get rid of it (and of slow logins when the server has DNS issues...) Commented Nov 16, 2018 at 7:39

You can make your logs easier to read and check by turning off reverse lookp-ups in sshd_config (UseDNS no). This will prevent sshd from logging the "noise" lines containing "POSSIBLE BREAK-IN ATTEMPT" leaving you to concentrate on the slightly more interesting lines containing "Invalid user USER from IPADDRESS".

  • 4
    What is the downside to disabling sshd reverse lookups on a server connected to the public Internet? Is there any upside at all to leaving this option enabled?
    – Eddie
    Commented Nov 6, 2013 at 15:48
  • 2
    @Eddie I don't think the DNS lookups performed by sshd serves any useful purpose. There are two good reasons to disable the DNS lookups. The DNS lookups can slow down login if the lookups time out. And the "POSSIBLE BREAK-IN ATTEMPT" messages in the log are misleading. All that message really means is that the client has misconfigured DNS.
    – kasperd
    Commented Jul 1, 2015 at 10:12
  • 1
    I disagree @OlafM - "UseDNS no" tells sshd to not perform the reverse mapping check and therefore it will not add any lines containing "POSSIBLE BREAK-IN ATTEMPT" to the system logs. As a side-effect it may also speed up connection attempts from hosts than don't have reverse DNS configured correctly.
    – TimT
    Commented May 4, 2017 at 12:55
  • 1
    Yes @OlafM I did, about 4-5 years ago on Linux. It considerably shortened my logs and stopped logcheck bugging me with worthless email reports.
    – TimT
    Commented May 26, 2017 at 8:07
  • 1
    The main use of UseDNS is for the (bad idea to use) .rhosts and .shosts authentication (HostbasedAuthentication). (And the From match option in the SSHD config and authorized_keys) (There is a seperate setting HostbasedUsesNameFromPacketOnly though which might be needed to switch of reverse lookups for Hosts based auth as well, worse idea than using Hostsbasedauthentication...) Commented Nov 16, 2018 at 7:44

It's not necessary a successful login, but what it says "posible" and "attempt".

Some bad boy or script kiddie, is sending you crafted traffic with a false origin IP.

You can add origin IP limitations to your SSH keys, and try something like fail2ban.

  • 2
    Thanks. I have iptables set to only allow ssh connectivity from select sources. I also have fail2ban installed and running.
    – Mike B
    Commented Apr 17, 2011 at 18:31

In my case after three week of suffering with logout of systems and hang in ssh connections every one minutes, I found my network changed to IPv6 when try to get my IP, so I tried to disable IPv6 and restart network, but that didn't not solve my problem.

Note: in every hang of ssh, I found this log line:

reverse mapping checking getaddrinfo for x.x.x.x.xx.com.xx [xx.xx.xx.xx] failed - POSSIBLE BREAK-IN ATTEMPT!

So I think part of this error is from your connection provider, when your IP changed continuously, ssh will keep freezing and this error will occurs. I changed my internet provider and problem was solved.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .