Who is brute-forcing my web server?!

Quick post, but what the hell is going on!

So I use fail2ban to protect my cloud VPS, and also setup a dashboard to visualise the data from that (tool is called intruder-alert, its a really cool tool for fail2ban. might make a post about setting it up). Anyways, I keep a semi-close eye on the data and have noticed something very odd.

Over the past 7 days, a network from the "Tencent Building, Kejizhongyi Avenue" has been banned 428 times. Doing some maths, thats an average of 61 bans per day. That doesn't just mean there was 428 failed SSH attempts, that means there was 3 failed attempts to SSH in a space of about 5 minutes, per IP address. If that threshold is passed, the IP is banned for an hour.

Interestingly, even though the IP's all seem to originate from the same ASN/network, the IP addresses seem to be coming mainly from Singapore (with it also being the most banned country), with many also coming from Japan (2nd place) as well as the United States (3rd place).

I have not a clue why so many attempts are coming from this network. They seemed to have slowed down, but still getting a lot of bans/jail activations.

They have (so far) peaked out at 165 bans in 1 day, with 22 IP's making up those bans. Very odd, but thought it was interesting enough to share. If anyone has any more information about this, share it in the comments! I'd love to know anything else about this. I've also attached a couple of screenshots of the dashboard data, if your interested.