I tried to rule out that you "construct" the idea of being attacked, e.g. you see lots of port-scans with incrementing port numbers in your iptables log, than your totally legit ssh login that is correctly logged (possibly in another file).