# [Solved] Illegal users, logwatch question

## Sedrik

Hi guys and gals

Noted this today and I am wondering what it means (currently at work so can't read through the man page)

What is the difference between Illegal users and Login attempted?

```

 Illegal users from:

   49.212.64.138 (h-sys.biz): 1 time

   59.67.168.253 (mail.tjrac.edu.cn): 9 times

   88.191.74.240 (sd-13527.dedibox.fr): 9 times

   202.28.201.13: 6 times

   221.4.200.196: 7 times

 Login attempted when not in AllowUsers list:

   bin : 6 Time(s)

   daemon : 4 Time(s)

   mysql : 1 Time(s)

   nobody : 1 Time(s)

   root : 948 Time(s)

   sshd : 1 Time(s)
```

----------

## cach0rr0

the former == people trying to login as non-existent users

the latter == people trying to login as existing users, but ones that arent allowed to login via ssh

NB: if you cant do key-based auth, or change the ssh port, you should really look at deploying something like fail2ban

----------

## Sedrik

I am planning on setting up key based login, just havent had time to do it yet. Will look into it.

Thanks

----------

