Systems running an SSH server have been a frequent target of attack for perhaps the last 10 years. You check your logs in the morning, and find that there were several thousand login attempts (hopefully, all failures) from one IP address. And a few days later, it happens from another IP address.
To succeed, a SSH attacker has to guess both a user loginid and the password for that user. The attackers often try standard user accounts, such as “root”, “bin”, “daemon”.