The drops on my firewall logs are from all over. Although the University of Michigan has taken a dislike to me for some reason
I have pretty long timeouts on my fail2ban scripts, so if something shows up more than twice I know it's targeted and have a full scan of /var/log to see what else that IP address has been up to and who it is. If it's a US or Chinese hosting company I tend to blacklist their entire IP range.
That said, I have found many companies quite responsive to a heads up because in some cases it's evident the wannabe hacker is using their server to act as a script proxy so it must be breached. They generally get one warning. If they show up again they get told they'll be billed for my time (not that I would or even could without a court case AFAIK, but for some reason that seems to wake people up).
Biting the hand that feeds IT
