This post is a fascinating look at how botnets actually work. I don’t want to spoil the takeaways so I’ll just quote this (but you should read the whole thing):
Your server isn’t special. Nobody is “targeting” it. Every IP address on the internet is being continuously probed by automated systems. Within seconds of exposing port 22, you will receive login attempts. This isn’t a question of “if” but “when” — and the answer to “when” is “immediately.”