One of my checkpoint client got the logs being sent by ISP saying that there are numerous traffic being generated and my network is compromised .The ip address in the log is my one of my servers IP.

i blocked  ssh from outside  to the server  as well

what do i do ?

Reported-From: abuse-team@blocklist.de
Category: abuse
Report-Type: login-attack
Service: ssh
Version: 0.2
User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
Date: Sat, 21 Sep 2019 08:24:56 +0200
Source-Type: ip-address
Source: 202.xxx.xx.xx
Port: 22
Report-ID: 896439139@blocklist.de
Schema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.json
Attachment: text/plain

Sep 21 08:24:54 vps34202 sshd[544]: Address 202.XX.XX.XX maps to www.xx.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 21 08:24:54 vps34202 sshd[544]: Invalid user oracle from 202.XX.XX.XX
Sep 21 08:24:54 vps34202 sshd[544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.XX.XX.XX 
Sep 21 08:24:56 vps34202 sshd[544]: Failed password for invalid user oracle from 202.XX.XX.XX port 45262 ssh2
Sep 21 08:24:56 vps34202 sshd[544]: Received disconnect from 202.XX.XX.XX: 11: Bye Bye [preauth]