Has anyone ever seen something like this? The IP resolved to a middle school in South Korea.

Mar 28 19:38:43 localhost sshd[3909]: scanned from 211.248.172.2 with SSH-1.0-SSH_Version_Mapper . Don't panic.
Mar 28 19:38:58 localhost sshd[3908]: Did not receive identification string from 211.248.172.2.
Mar 28 19:41:35 localhost sshd[3910]: Disconnecting: Corrupted check bytes on input.
Mar 28 19:47:58 localhost sshd[3911]: Disconnecting: Corrupted check bytes on input.

It's a version scanner, it could be used to determine if your Sshd version is vulnerable to a CRC-32 or other attack. Increased scanning seems to have been started around dec of last yr.

These are some steps to tighten Sshd access:
- upgrade Sshd to a 3x version to shield from 2.9x flaws,
- make sure sshd_config only lists "Protocol 2" and not fallback capacity like "Protocol 2,1",
- use (if compiled with support for) TCP wrappers to allow only specific hosts access, or use an "ALL EXCEPT" statement if you get hit more by some IP ranges but can't add restrictions on allowed ip ranges,
- add firewall blocking rule, matching the previous step. (Could add sending RST: no daemon listening on port),
- restrict user access in sshd_config
- Add snort (compile --with-flexresp) with Guardian to block access when a "CRC32" signature alert is found.

IMO the 1st 3 steps should be mandatory, and the last 3 optional cuz they are too restrictive.