I’ve recently seen login attempts using keys, found it curious…

Permitting inbound SSH attempts, but disallowing actual logins, is an effective strategy to identify compromised hosts in real-time.

The origin address of any login attempt is betraying it shouldn’t be trusted, and be fed into tarpits and block lists.