Keeping an eye on your server’s SSH activity from time to time is recommended. I created a dashboard using Kibana/Elastic Search to quickly review and potentially identify any suspicious activity. It is available on github (https://github.com/aymenfurter/kibana-sshactivity/).
It is split into two sections. One sections gives you the general SSH Activity (e.g. failed login attemps). The section on the right gives you the amount of created root sessions.
Next I will setup Fail2Ban and see how this influences the statistics.