I have been having these attacks for weeks as shown for the last two days, below. Abuse@digitalocean.com is either overwhelmed or under staffed or both. My solution as of today is to block their entire domain 107/170.0.0/16, since they have no valid reason to be accessing my servers.
[“May 5 14:56:15 wbofw sshd[22084]: Connection from 107.170.231.42 port 58873 on 96.10.34.34 port 22”,
“May 5 14:56:19 wbofw sshd[22084]: User root from 107.170.231.42 not allowed because not listed in AllowUsers”,
“May 5 14:56:19 wbofw sshd[22084]: inputuserauthrequest: invalid user root [preauth]”,
“May 5 14:56:19 wbofw sshd[22084]: Received disconnect from 107.170.231.42 port 58873:11: Normal Shutdown, Thank you for playing [preauth]”,
“May 5 14:56:19 wbofw sshd[22084]: Disconnected from 107.170.231.42 port 58873 [preauth]”]
[“May 5 16:03:24 wbofw sshd[27194]: Connection from 107.170.249.235 port 56651 on 96.10.34.40 port 22”,
“May 5 16:03:24 wbofw sshd[27194]: Invalid user ubuntu from 107.170.249.235 port 56651”,
“May 5 16:03:24 wbofw sshd[27194]: inputuserauthrequest: invalid user ubuntu [preauth]”,
“May 5 16:03:25 wbofw sshd[27194]: Received disconnect from 107.170.249.235 port 56651:11: Normal Shutdown, Thank you for playing [preauth]”,
“May 5 16:03:25 wbofw sshd[27194]: Disconnected from 107.170.249.235 port 56651 [preauth]”]
[“May 5 16:22:56 wbofw sshd[28535]: Connection from 107.170.249.235 port 42680 on 96.10.34.34 port 22”,
“May 5 16:22:57 wbofw sshd[28535]: Invalid user mysql from 107.170.249.235 port 42680”,
“May 5 16:22:57 wbofw sshd[28535]: inputuserauthrequest: invalid user mysql [preauth]”,
“May 5 16:22:57 wbofw sshd[28535]: Received disconnect from 107.170.249.235 port 42680:11: Normal Shutdown, Thank you for playing [preauth]”,
“May 5 16:22:57 wbofw sshd[28535]: Disconnected from 107.170.249.235 port 42680 [preauth]”]
[“May 6 04:22:29 wbofw sshd[13883]: Connection from 107.170.105.164 port 54472 on 96.10.34.40 port 22”,
“May 6 04:22:56 wbofw sshd[13883]: Invalid user lian from 107.170.105.164 port 54472”,
“May 6 04:22:56 wbofw sshd[13883]: inputuserauthrequest: invalid user lian [preauth]”,
“May 6 04:22:56 wbofw sshd[13883]: Received disconnect from 107.170.105.164 port 54472:11: Bye Bye [preauth]”,
“May 6 04:22:56 wbofw sshd[13883]: Disconnected from 107.170.105.164 port 54472 [preauth]”]
[“May 6 10:06:30 wbofw sshd[8221]: Connection from 107.170.172.23 port 53235 on 96.10.34.40 port 22”,
“May 6 10:06:35 wbofw sshd[8221]: Address 107.170.172.23 maps to www.thethinktankers.in, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!”,
“May 6 10:06:35 wbofw sshd[8221]: User ftp from 107.170.172.23 not allowed because not listed in AllowUsers”,
“May 6 10:06:35 wbofw sshd[8221]: inputuserauthrequest: invalid user ftp [preauth]”,
“May 6 10:06:35 wbofw sshd[8221]: Received disconnect from 107.170.172.23 port 53235:11: Normal Shutdown, Thank you for playing [preauth]”,
“May 6 10:06:35 wbofw sshd[8221]: Disconnected from 107.170.172.23 port 53235 [preauth]”]