Hello,

assuming these IP address are not within your company address space, and the user accounts are not ypurs, I would say these are hack attempts.

Try and configure an access list on your external interface to block SSH attempts, and check if the messages disappear:

ip access-list extended BLOCK_SSH
ip address x.x.x.x y.y.y.y
deny tcp any host x.x.x.x eq ssh
permit ip any any
!
interface GigabitEthernet0/0
description Link to ISP
ip access-group BLOCK_SSH in

can you please check the below config. and help where exactly to paste ur config in ??

ip dhcp pool LAN
network 192.1x.x.0 2x5.255.255.0
default-router 1x.16x.x.2x
domain-name x.x
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool WIFI-OFFICE
network 1x.1x4.0 2x5.255.255.0
default-router 1x2.x.x.2x
domain-name x.x
dns-server 8.8.8.x 8.8.4.4
!

!
ip dhcp pool WIFI-GUEST
network 1x.1x8.x.0 255.255.255.0
default-router 1x.x.x.207
dns-server 8.8.8.x 8.8.4.4
!

!
!
!
no ip domain lookup
ip domain name EGCAI01.nms.local
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
trunk group Mobile
!
!
trunk group pstn
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-2728187941
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2728187941
revocation-check none
rsakeypair TP-self-signed-2728187941
!
!
crypto pki certificate chain TP-self-signed-2728187941
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373238 31383739 3431301E 170D3135 30333231 31333235
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37323831
38373934 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C184 ACFFFB46 C4C5B385 CBE1A6C9 0CD5DA07 385B1D99 C8AD86D5 9CFAA109
CACAA786 2AE1D32F CC3AC285 BBA7B419 04B2482A 0B7DD955 99130F92 48B2A075
E8B170CA 230036B1 73D4F8FF 26E2B556 6FD337BE 3A8B341B 0A80C612 6737B714
96CFA520 995A0E45 993F558D 1DFC222A 3F587ABE E3E1F038 3CA3152F F0222271
00330203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14AEA7B2 0A72790D BDCE8BF7 9C2D6CF2 C1C8A393 5B301D06
03551D0E 04160414 AEA7B20A 72790DBD CE8BF79C 2D6CF2C1 C8A3935B 300D0609
2A864886 F70D0101 05050003 81810072 94945FF4 84A78DF0 CF361867 79566C0F
D6FB48FD 3ACB218F 800D5CA1 54F4F4E2 5ED04E26 4A5DC612 097EE5D0 5A26618A
80DB770F 30768D27 C5F7679A D5E81483 C3993CC4 15CFF495 39F11F9D 7EE9054D
DC5CDEEE B3E35F53 09DB553A EACEE590 D128A220 52EE5C32 FCA5A626 BDAD34D5
6DABFE4F F30D63A5 5C92E27A 7E3EE0

license udi pid CISCO2911/K9 sn FCZ190360AM
license accept end user agreement
hw-module pvdm 0/0
!
!
!
file privilege 0
object-group network RFC-PRIVATE
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
!
username xxxxx password x 1511021F0C70
username xxxxxx secret x $1$5Klr$GneBF.AwmAgvMY4lW/Ylk1
username xxx
username xxxx
username ...... privilege 15 secret 9 $9$eSfWH2ACcyEpgU$kBe69JmDRjwR01pDNDUjBF17G2JI8hOCafvoaptS8f6
!
redundancy
!
process-max-time 50
!
ip ssh time-out 90
ip ssh logging events
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description connected to local NW-INTERVLAN
no ip address
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.2
description FACE-client-LAN
encapsulation dot1Q 2
ip address 1x.x.x.x 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!

interface GigabitEthernet0/0.12
description badge-reader
encapsulation dot1Q 12
ip address 1x.x.x2.x 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 1x.x.x.x 255.255.x.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!

interface GigabitEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 19x.1x.8.x 255.255.255.0
ip access-group in_guest_traffic in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description connected to WAN
no ip address
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
encapsulation dot1Q 328
ip address x.x.x.x 255.xc5.255.x secondary
ip address x.x.x.x 255.255.255.x
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/2
description connected to SECONDARY_ISP
no ip address
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/GUI
ip flow-export source GigabitEthernet0/0
ip flow-export version 9
ip flow-top-talkers
top 60
sort-by packets
!
ip nat pool PUBLIC_POOL x.x.x.x x.x.x.x netmask 255.255.255.x
ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1.328 1x.x.1x.x
!
ip access-list extended INTERNET_PAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.13.0 0.0.0.255 any
i
ip access-list extended in_guest_traffic
deny ip any object-group RFC-PRIVATE
permit ip any any
!
logging trap notifications
logging host 10.x.x.x
!
route-map INTERNET_TRAFFIC permit 10
match ip address INTERNET_PAT
match interface GigabitEthernet0/1.328
!
!
line con 0
password 7 060506324F41
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
transport input all
line vty 5 15
exec-timeout 15 0
logging synchronous
login
transport input all
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0.250
ntp master
ntp update-calendar
ntp server 10.x8.0.x
ntp server 10.x.0.1x
ntp server 10.x.1x.1x
ntp server 10.8x.1x0.183
ntp server 0.eg.pool.ntp.org
!
end

ip access-list extended BLOCK_SSH
ip address x.x.x.x y.y.y.y                         whats this ip should be ?
deny tcp any host x.x.x.x eq ssh       i have 7 vlans and from all G.W via ssh i can access ? so shall i add all of them one by one for example :       i have   ( vlan1 gw  x.x.1.0  vlan2  x.x.2.0 and so on ) ??
permit ip any any
!
interface GigabitEthernet0/0
description Link to ISP
ip access-group BLOCK_SSH in

whose these wired names appears to me and msg always coming 

may i ask your kindly support :)

'aes128-cbc', hmac 'hmac-sha1' closed
May 6 11:38:07.404: %SSH-5-SSH2_USERAUTH: User 'root' authentication for SSH2 Session from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
May 6 11:38:07.404: %SSH-5-SSH2_CLOSE: SSH2 Session from 123.145.10.114 (tty = 0) for user 'root' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
May 6 11:38:09.136: %SSH-5-SSH2_USERAUTH: User 'monicasafawt' authentication for SSH2 Session from 156.96.150.58 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
May 6 11:38:09.136: %SSH-5-SSH2_CLOSE: SSH2 Session from 156.96.150.58 (tty = 2) for user 'monicasafawt' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
May 6 11:38:09.380: %SSH-5-SSH2_SESSION: SSH2 Session request from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded
May 6 11:38:09.780: %SSH-5-SSH2_SESSION: SSH2 Session request from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
May 6 11:38:11.760: %SSH-5-SSH2_USERAUTH: User 'wallace.mcgown' authentication for SSH2 Session from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Failed
May 6 11:38:11.760: %SSH-5-SSH2_CLOSE: SSH2 Session from 103.145.12.23 (tty = 1) for user 'wallace.mcgown' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed
May 6 11:38:13.424: %SSH-5-SSH2_USERAUTH: User 'root' authentication for SSH2 Session from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
May 6 11:38:13.424: %SSH-5-SSH2_CLOSE: SSH2 Session from 123.145.10.114 (tty = 0) for user 'root' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
May 6 11:38:14.056: %SSH-5-SSH2_SESSION: SSH2 Session request from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded
May 6 11:38:15.664: %SSH-5-SSH2_SESSION: SSH2 Session request from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
May 6 11:38:16.492: %SSH-5-SSH2_USERAUTH: User 'morag.holdsworth' authentication for SSH2 Session from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Failed
May 6 11:38:16.492: %SSH-5-SSH2_CLOSE: SSH2 Session from 103.145.12.23 (tty = 1) for user 'morag.holdsworth' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed
May 6 11:38:19.192: %SSH-5-SSH2_SESSION: SSH2 Session request from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded
May 6 11:38:19.348: %SSH-5-SSH2_USERAUTH: User 'root' authentication for SSH2 Session from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
May 6 11:38:19.352: %SSH-5-SSH2_CLOSE: SSH2 Session from 123.145.10.114 (tty = 0) for user 'root' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
May 6 11:38:21.588: %SSH-5-SSH2_SESSION: SSH2 Session request from 123.145.10.114 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
May 6 11:38:21.616: %SSH-5-SSH2_USERAUTH: User 'alastair.cupples' authentication for SSH2 Session from 103.145.12.23 (tty = 1) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Failed
May 6 11:38:21.616: %SSH-5-SSH2_CLOSE: SSH2 Session from 103.145.12.23 (tty = 1) for user 'alastair.cupples' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed

no it doesnot mean any to me 

i have 3 free public ip address , i used 2 from them as below on the nat overlaod traffic for internet and the 3rd one i configured on the wan interface for vpn traffic in future 

ip nat pool PUBLIC_POOL 1x.2x4.80.x x.204.x0.x netmask 255.2x.2x.248
ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1.328 172.19.1x8.8x
!

interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
encapsulation dot1Q 328
ip address 172.x9.138.x0 2x5.2x5.255.2xx secondary
ip address 1xx.2x.8x.x 255.255.x.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in

and for the vlans i have 10 vlans in my local network and any gatway of them can be accessed using ssh 

this errors appears to me when i connect via console port and keep showing this 

Hello,

apply the access list to the external interface, and check if the messages stop:

ip access-list extended BLOCK_SSH
deny tcp any host 172.x9.138.x0 eq ssh
deny tcp any host 1xx.2x.8x.x eq ssh
permit ip any any
!
interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
encapsulation dot1Q 328
ip address 172.x9.138.x0 2x5.2x5.255.2xx secondary
ip address 1xx.2x.8x.x 255.255.x.248
ip access-group BLOCK_SSH in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in

In addition, if you don't want to see these messages in your logs, you can also configure a logging discriminator:

logging discriminator SSH severity drops 5 facility drops SSH2 mnemonics drops SSH2_USERAUTH

logging buffered discriminator SSH 100000
logging console discriminator SSH
logging monitor discriminator SSH
logging host 192.168.100.10 discriminator SSH