I have a web application that I'm hosting on an Amazon Ubuntu server, and it has a public IP address - and very little traffic.
I was observing the authorization logs in /var/log, and noticed several like the following, typically 15-30 times/day, and all with a different username.
Sep 9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: Invalid user zabbix from 192.69.90.218<br>
Sep 9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: input_userauth_request: invalid user zabbix [preauth]<br>
Sep 9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: Received disconnect from 192.69.90.218: 11: Bye Bye [preauth]
Most of these come from Vietnam and China. I assume this is typical, that somebody has programmed a bot to trawl the web and attempt logins. There are similar threads about understanding logs, but my question is this:
Is this volume normal, and how do I establish a baseline for normal activity levels?
If I'm assured about security - and I am, I use locally saved SSH keys - is there any harm to these failed requests, even as they grow in number over time?