SSH password check feature or a coincidence?

General discussion
1

I recently received Omnia and while still configuring it, observed the following in the log:

2017-04-17T01:29:30+03:00 info sshd[27105]: Invalid user 0 from 91.197.232.104 port 33605
2017-04-17T01:29:30+03:00 info sshd[27105]: input_userauth_request: invalid user 0 [preauth]
2017-04-17T01:29:30+03:00 info sshd[27105]: Failed none for invalid user 0 from 91.197.232.104 port 33605 ssh2
2017-04-17T01:29:30+03:00 err sshd[27105]: error: Could not get shadow information for NOUSER
2017-04-17T01:29:30+03:00 info sshd[27105]: Failed password for invalid user 0 from 91.197.232.104 port 33605 ssh2
2017-04-17T01:29:30+03:00 info sshd[27105]: Connection closed by 91.197.232.104 port 33605 [preauth]
2017-04-17T01:29:31+03:00 info sshd[27108]: Invalid user 0000 from 91.197.232.104 port 58236
2017-04-17T01:29:31+03:00 info sshd[27108]: input_userauth_request: invalid user 0000 [preauth]
2017-04-17T01:29:31+03:00 err sshd[27108]: error: Could not get shadow information for NOUSER
2017-04-17T01:29:31+03:00 info sshd[27108]: Failed password for invalid user 0000 from 91.197.232.104 port 58236 ssh2
2017-04-17T01:29:31+03:00 info sshd[27108]: Connection closed by 91.197.232.104 port 58236 [preauth]
2017-04-17T01:29:32+03:00 info sshd[27111]: Invalid user 010101 from 91.197.232.104 port 47998
2017-04-17T01:29:32+03:00 info sshd[27111]: input_userauth_request: invalid user 010101 [preauth]
2017-04-17T01:29:32+03:00 err sshd[27111]: error: Could not get shadow information for NOUSER
2017-04-17T01:29:32+03:00 info sshd[27111]: Failed password for invalid user 010101 from 91.197.232.104 port 47998 ssh2
2017-04-17T01:29:32+03:00 info sshd[27111]: Connection closed by 91.197.232.104 port 47998 [preauth]
2017-04-17T01:29:34+03:00 info sshd[27114]: Invalid user 1111 from 91.197.232.104 port 51586
2017-04-17T01:29:34+03:00 info sshd[27114]: input_userauth_request: invalid user 1111 [preauth]
2017-04-17T01:29:34+03:00 err sshd[27114]: error: Could not get shadow information for NOUSER
2017-04-17T01:29:34+03:00 info sshd[27114]: Failed password for invalid user 1111 from 91.197.232.104 port 51586 ssh2
2017-04-17T01:29:34+03:00 info sshd[27114]: Connection closed by 91.197.232.104 port 51586 [preauth]
2017-04-17T01:29:39+03:00 info sshd[27126]: Connection closed by 91.197.232.104 port 45786 [preauth]

I’ve googled that IP (91.197.232.104) and found that it was already reported more than thousand times for bruting SSH password here: https://www.abuseipdb.com/check/91.197.232.104

The interesting fact here is that geoip shows that it is Czech Republic which is, you know, the origin of Turris Omnia.

I live in Russia and my previous device was always bruted from China IP addresses only. That looks suspiciously for me: I bought Czech device and got SSH brute-force attack in a couple of days from Czech.

I though that it may be some kind of security ‘feature’ - like pen testing from cz.nic but I didn’t find any proof of that. Otherwise it’s not clear to me where Czech attacker got my IP from.