yes, it is often the same ip. for example in yesterday's log i see the ip 184.108.40.206 attempting to connect about 10 times per minute for 5 hours straight. every attempt generates these two lines in the auth.log:
sshd: Received disconnect from 220.127.116.11
: 11: Bye Bye [preauth]
sshd: reverse mapping checking getaddrinfo for ns2.caroneonline.com.br
[18.104.22.168] failed - POSSIBLE BREAK-IN ATTEMPT!
i really don't know how much of a threat this is but it doesn't look particularly friendly and i'm usually curious when my logs scream something like "POSSIBLE BREAK-IN ATTEMPT!" in all caps. that being said, my ssh accepts key only now, so in theory there's not much of anything that should be a threat. before i stopped allowing passworded logins i was getting thousands of brute force login attempts per day.
i really don't know, what's your opinion? is this a threat? should i even bother running fail2ban with key only ssh or is that enough by itself?