He could have brute forced your password, or one of the users on your server passwords... Brute force is when the little script kiddie gets this program out with a massive dictionary of all these user names and passwords and then this program or his botnet ( large amount of zombie computers " bots " ) use this dictionary to guess the password thousands of times ( if not millions ) and they do in some cases get the pass.
They fine a vunreble script ( web ) on your server and they exploit it, or they find exploits for it. Then then insert there kiddie code and gain access. They then use a rootkit to hide there tracks and provide a backdoor into the server.
I would say he/she has cracked your password in some way.
Define "accepted logins". Posting the message that you're seeing can help here.
Brute force is usually going to happen when you have passwords that just don't make the grade (ie: ANYTHING dictionary related, personal (birthday,etc), and more). The best response is to use one of the following solutions:
A> change ssh port
B> disable root login
C> require root logins to have an ssh key, rather than accepting a password for root.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!