Mike Hammett said:
IMO, the answer is balance.
- Handful of SSH connection attempts against a server. Nobody got in,
security hardening did it's job. I don't think that is worth reporting. -
Constant brute force SSH attempts from a given source over an extended period
of time, or a clear pattern of probing, yes, report that.
The bad guys have already gamed that system. If you have a zillion bots, you
can have each bot try a different name/password on a large batch of IP
Addresses. A victim only sees one try from each bot.
The daily logwatch reports that land in my mailbox are full of ssh attempts
that end with ": 1 Time".