I see two different type of log messages in my /var/log/auth.log file
one is and another is
in the second log the IP address from where the connection originated was
240.135.121.200

now the log of type one above is also present and some at some places log of type2.
If you note the IP logged in in both cases the type1 logged as
and type 2 logged as
in type 2 the IP actually was 240.135.121.200
which is recorded in reverse fashion.
So like this at many places the order in which it is recorded is reverse.
My problem is looking at the logs how do I find the IP from where connection originated when is it logged as
A.B.C.D
and when it is logged as D.C.B.A
I am not sure from the log of type 1 I quoted above
that the IP I should block should be
115.69.217.3
or
3.217.69.115

I don't see any issue there at all. The "reverse" IP address, "200.121.135.240.speedy.net.pe", is clearly NOT an IP address, but a hostname, which is totally arbitrary based upon the practises of the ISP. The detail in the square brackets is the real IP address, there is no logical conflict here at all, it is NEVER logged as "D.C.B.A"

Some of the logs I have which do not have any entry in braces.

Well that's not been mentioned at all in the original post. If you wish to expand on that with sample logs etc then we may be able to comment.

but any how you pointed in [] so I scanned all the logs and could not find one such example.

There is one more log
and I see this guy had tried a lot of other permutations.Does that mean he was able to guess the username correctly.

I have no idea what you're trying to achieve here. there is no problem to solve.

g 17:51:48 sshd[13917]: Invalid user admin from 220.80.107.196
g 17:51:57 sshd[13942]: Invalid user admin from 220.80.107.196
g 17:52:05 sshd[13965]: Invalid user test from 220.80.107.196
g 17:52:13 sshd[13986]: Invalid user test from 220.80.107.196
g 17:52:20 sshd[14009]: Invalid user user from 220.80.107.196
g 17:52:28 sshd[14029]: Invalid user user from 220.80.107.196
g 17:52:36 sshd[14050]: Invalid user user1 from 220.80.107.196
g 17:52:44 sshd[14071]: Invalid user user1 from 220.80.107.196
g 17:52:52 sshd[14092]: Invalid user user1 from 220.80.107.196
g 17:53:00 sshd[14112]: Invalid user user from 220.80.107.196
g 17:53:07 sshd[14133]: Invalid user user1 from 220.80.107.196
sshd[12626]: Did not receive identification string from 220.80.107.196

Pasting some logs and saying nothing else is not useful.

In the above log you see the person with above IP was trying different user names and in the last line I read Did not recieve identification string.
So some logs are
Invalid user user1 from 220.80.107.196
while some are
Did not receive identification string from 220.80.107.196

both from same IP.I want to know that looking at the above logs what can I deduce
1) The person was trying different user names on ssh
2) What can I infer from this log

The "Did not receive" messages are probably just dumb port scans. An ssh client will, on connection, tell the server what program it is. A port scan won't bother doing this.

Ok you mean to say in the "Did not recieve" line does that mean the attacker did not even tried for password to some fake account getting frustrated over what ever be the password he tried to scan what service is open at that port.

it's the most likely cause, yes.

Ok that makes it clear.Thanks for the information.

Please run some of your own tests as well against a non-production ssh server and watch the logs to learn what each piece means.

For instance, what will your logs say if you connect to the SSH port and send the string OMGHAX?

EDIT: don't use an ssh client for the above test. Just connect with something like netcat or telnet.

Hi when I had started this thread I missed those logs (infact I did see them but was unable to locate) today I got the logs which do not have square braces
Here it is I am not sure if you are still reading the thread.