Logwatch - Several Attacks? I'm Worried! What should I do?

Question

I have a VPS and I get everyday a super crowded Logwatch.

I'm not expert about Debian so I don't know if this is normal or if I should worry.

Any opinions?

 ################### Logwatch 7.4.0 (03/01/11) #################### 
        Processing Initiated: Wed Apr 15 06:25:28 2020
        Date Range Processed: yesterday
                              ( 2020-Apr-14 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: ***.***.**
 ################################################################## 

 --------------------- fail2ban-messages Begin ------------------------ 

 Banned services with Fail2Ban:              Bans:Unbans
    ssh:                                                    [495:500]

 ---------------------- fail2ban-messages End ------------------------- 


 --------------------- httpd Begin ------------------------ 


 Connection attempts using mod_proxy:
    113.128.105.226 -> www.baidu.com:443: 1 Time(s)
    119.118.30.23 -> www.ipip.net:443: 1 Time(s)
    223.12.78.165 -> cn.bing.com:443: 1 Time(s)
    45.13.93.90 -> ip.ws.126.net:443: 1 Time(s)

 A total of 993 sites probed the server 
    100.18.10.141
    101.165.194.135
    102.115.161.115
    103.214.12.244
    103.80.239.154
    104.191.118.29
    104.192.236.93
    106.180.4.213
    107.141.74.125
    108.17.75.210
    108.70.82.189
    109.112.38.174
    109.116.190.21
    109.117.136.112
    109.118.88.47
    [...]

 ---------------------- httpd End ------------------------- 


 --------------------- iptables firewall Begin ------------------------ 


 Listed by source hosts:
 Logged 4735 packets on interface eth0
   From 2.25.218.189 - 16 packets to tcp(443) 
   From 2.32.62.225 - 8 packets to tcp(443) 
   From 2.34.179.95 - 4 packets to tcp(443) 
   From 2.36.160.255 - 4 packets to tcp(443) 
   From 2.37.140.177 - 1 packet to tcp(443) 
   From 2.39.41.23 - 10 packets to tcp(443) 
   From 2.45.1.230 - 3 packets to tcp(443) 
   From 2.45.152.99 - 2 packets to tcp(443) 
   From 2.102.45.174 - 2 packets to tcp(443) 
   From 2.132.43.242 - 1 packet to tcp(80) 
   From 2.177.207.154 - 1 packet to tcp(443) 
   From 2.178.237.89 - 1 packet to tcp(80) 
   From 2.180.124.124 - 1 packet to tcp(22) 
   From 2.181.21.231 - 3 packets to tcp(80) 
   From 2.181.67.150 - 3 packets to tcp(22) 
   From 2.186.1.136 - 2 packets to tcp(80) 
   From 2.186.43.121 - 1 packet to tcp(443) 
   [...]

 ---------------------- iptables firewall End ------------------------- 


 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       root (222.186.190.17): 180 Time(s)
       unknown (78.107.220.5): 82 Time(s)
       unknown (139.217.218.255): 48 Time(s)
       root (9.213.155.104.bc.googleusercontent.com): 47 Time(s)
       root (206.189.164.136): 41 Time(s)
       unknown (134.209.228.253): 41 Time(s)
       root (125.74.47.230): 38 Time(s)
       root (163.172.178.167): 36 Time(s)
       root (ns3003413.ip-5-196-75.eu): 36 Time(s)
       root (106.12.2.81): 35 Time(s)
       root (184.13.240.142): 35 Time(s)
       unknown (9.213.155.104.bc.googleusercontent.com): 35 Time(s)
       [...]

    Invalid Users:
       Unknown Account: 2879 Time(s)


 ---------------------- pam_unix End ------------------------- 


 --------------------- SSHD Begin ------------------------ 


 Illegal users from:
    undef: 1441 times
    1.53.158.156: 1 time
    1.214.156.163: 43 times
    2.184.4.3: 46 times
    3.133.0.24 (ec2-3-133-0-24.us-east-2.compute.amazonaws.com): 31 times
    5.135.94.191 (ip191.ip-5-135-94.eu): 36 times
    5.135.181.53 (ns3120718.ip-5-135-181.eu): 27 times
    5.147.173.226 (ip-5-147-173-226.unitymediagroup.de): 1 time
    [...]

 Login attempted when not in AllowUsers list:
    backup : 18 Time(s)
    bin : 32 Time(s)
    daemon : 5 Time(s)
    games : 3 Time(s)
    irc : 1 Time(s)
    list : 1 Time(s)
    lp : 1 Time(s)
    mail : 2 Time(s)
    man : 1 Time(s)
    messagebus : 3 Time(s)
    mysql : 26 Time(s)
    news : 3 Time(s)
    nobody : 2 Time(s)
    postfix : 1 Time(s)
    proxy : 1 Time(s)
    root : 4881 Time(s)
    sshd : 3 Time(s)
    sync : 3 Time(s)
    sys : 5 Time(s)
    uucp : 3 Time(s)
    www-data : 6 Time(s)

 ---------------------- SSHD End ------------------------- 




 ###################### Logwatch End ######################### 

Answer 1

It's a mixture of scanning and attacking (looking for week points, see how usual user names/services are tried). Every internet-facing server is probed that way, no way to avoid it if the services you offer are public.

It is not Debian specific, it is related to the services on your server.

What you can do, and you already have for ssh, is try to restrict the amount of tries those scans get to do before being banned (fail2ban). You might also want to check if you are using mod_proxy, since some of the probes were checking if you had an open proxy set up (but did not succeed).

Though I see nothing worrisome in your report, you will have to learn how to read it in case something bad happens. If there is part you do not understand (most of it is self-explanatory), feel free to ask.