Just looking at /var/log/messages and I see it riddled with this pattern:
2017-07-21T00:40:51+10:00 info sshd[1093]: Failed password for root from 116.31.116.23 port 44170 ssh2
2017-07-21T10:40:53+10:00 info sshd[23659]: Last message 'Failed password for ' repeated 2 times, suppressed by syslog-ng on Cerberus.lan
2017-07-21T00:40:53+10:00 info sshd[1093]: Received disconnect from 116.31.116.23 port 44170:11: [preauth]
2017-07-21T00:40:53+10:00 info sshd[1093]: Disconnected from 116.31.116.23 port 44170 [preauth]
I can see from:
network-tools.com/default.asp?prog=express&host=116.31.116.
23
That this is apparently an IP address in China. To wit, am I to conclude some is trying to hack my router? Shall turn of ssh from WAN for now. But wonder if anyone else has seen something like this. Looks like a repeated password search effort.