I added denyhosts a month ago to assist with the frequent ssh probes I was getting. The list below is interesting and yet not that surprising. I used whois to determine country. In two cases the IP came from presumably legitimate company networks with US headquarters.

My server is not a well known IP. The IP is an ISP dynamically allocated IP address and behind a Linksys NAT router/firewall. In addition, the server is up only 12 hours a day during the US day time hours. So these guys must really be looking hard everywhere all the time.

• China 5
• Korea 2
• Japan 2
• Poland 1
• Mexico 1
• India 1
• Brazil 1
• Inforte Corp 1
• Eclipse Marketing 1

I've honestly never heard of SSH scanbots targeting non-dynamic IPs, so I don't see how this would make any difference.

Yes, the login attempts you are experiencing are almost certainly the direct result of intel provided by automated and randomized recon. And yes, IPs are getting scanned worldwide 24/7 - there's nowhere to hide. BTW, these "guys" could very well be sound asleep in mom's basement while their bots have you under attack.

Keep in mind that the boxes being used to attack you are very likely to be part of "presumably legitimate networks", and they've simply been owned. In such cases you wouldn't really have any idea where the master node is with this information you have. My point being that this country-breakdown thing can be something cute to show your boss but it doesn't really mean much otherwise, unless you are someone who likes to collect statistics for this kind of stuff.