I have been doing similar, albeit less complex analysis, of incoming malicious, and it's always surprising the amount of relentless attacks. Any good practices to maintain a secure online server?
No root login, no password login, public key only. This should make ~100% of ssh attacks futile. If you don't want to see many failed login attempts in your logs, listening on a completely random 5 digit port and has worked well for me. You can specify the port in ~/.ssh/config so you don't have to type it every time you log in.