Who’s knocking on your door?

It seems that the new “thing” on the internet these days is port scanning for port 22 (aka SSH).  I was going through my firewall logs on my home router and over the last week or so, it is broken down as follows:

country cnt
China 2123
Germany 1827
Italy 1460
United States 1115
Russian Federation 838
Korea, Republic of 738
Austria 692
Poland 618
Spain 502
Colombia 453
India 441
Czech Republic 323
Ecuador 286
Romania 282
Belgium 256
Chile 228
Panama 201
Pakistan 199
France 198
Argentina 170
Canada 148
Switzerland 138
Ukraine 129
Taiwan 128
Venezuela 111
Mexico 111
Denmark 105
Hungary 101
Slovenia 87
Brazil 77
Guatemala 59
Uruguay 53
Estonia 50
Croatia 48
Singapore 36
Australia 32
Portugal 32
Hong Kong 29
Greece 25
New Zealand 24
Ireland 18
Netherlands 17
Serbia 15
United Kingdom 13
South Africa 12
Malaysia 9
Thailand 8
Peru 7
Moldova, Republic of 6
Azerbaijan 3
Turkey 2
Malta 1
Total 14585

As a comparison, attempts that were blocked that weren’t ssh only totaled 1430. So are these bot’s or people looking for rogue iPhone’s or just trying to find new vulnerabilities in SSH? The interesting thing is it appears that each source IP tries 3 times. The second try is 3 seconds after the first and the third is 6 seconds after the second.

An interesting IP is 217.70.139.42, which has tried 303 times since the 14th. The IP is from Germany and also appears on several SSH dictionary attacks. So is it time to start running services on non-standard ports?