View try ubuntu login server ip, ip generally used to view the source of the attack:
grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
centos try to log in to view the server's ip, ip generally used to view the source of the attack:
cat /var/log/secure | awk '/Failed/{print $(NF-3)}'| sort| uniq -c| awk '{print $2"="$1;}'
Then join over ip /etc/hosts.deny
file format:all:114.115.116.117