[stevendgarcia]

I'm still picking up the pieces but from my logs I can see that hundreds of successive login attempts were made from different IPs, effectively circumventing fail2ban with what I can only assume is some form of automated IP spoofing. I'm hoping that strict ipv4 settings and ssh ip range restrictions will mitigate this in the future. I also used this python script to harden my SSH security with better algorithms. https://github.com/arthepsy/ssh-audit

[nickphx]

No, you were not seeing spoofed traffic. There are that many compromised machines actively scanning.

[stevendgarcia]

It's scary to admit this but you are probably right. The first thing these bots do is use server resources to scan ports and brute force their way into other machines. I don't want to think about how many machines are pwned like this. Very sobering!

[snazz]

This is also perfectly normal for the Internet, yes? If you have a server with an IPv4 address, expect many attempts per day.