I check /var/log/secure and I have these logs:
Jul 9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566
Jul 9 13:02:57 localhost sshd[30624]: Connection closed by invalid user admin 223.196.172.1 port 37566 [preauth]
Jul 9 13:03:05 localhost sshd[30626]: Invalid user admin from 223.196.174.150 port 61445
Jul 9 13:03:05 localhost sshd[30626]: Connection closed by invalid user admin 223.196.174.150 port 61445 [preauth]
Jul 9 13:03:16 localhost sshd[30628]: Invalid user admin from 223.196.169.37 port 62329
Jul 9 13:03:24 localhost sshd[30628]: Connection closed by invalid user admin 223.196.169.37 port 62329 [preauth]
Jul 9 13:03:29 localhost sshd[30630]: Invalid user admin from 223.196.169.37 port 64099
Jul 9 13:03:30 localhost sshd[30630]: Connection closed by invalid user admin 223.196.169.37 port 64099 [preauth]
Jul 9 13:03:45 localhost sshd[30632]: Invalid user admin from 223.196.174.150 port 22816
Jul 9 13:03:46 localhost sshd[30632]: Connection closed by invalid user admin 223.196.174.150 port 22816 [preauth]
Jul 9 13:06:17 localhost sshd[30637]: Invalid user admin from 223.196.168.33 port 33176
Jul 9 13:06:17 localhost sshd[30637]: Connection closed by invalid user admin 223.196.168.33 port 33176 [preauth]
Jul 9 13:07:09 localhost sshd[30639]: Invalid user admin from 223.196.173.152 port 61780
Jul 9 13:07:25 localhost sshd[30641]: Invalid user admin from 223.196.168.33 port 54200
Jul 9 13:07:26 localhost sshd[30641]: Connection closed by invalid user admin 223.196.168.33 port 54200 [preauth]
...
It seems someone tries to log in by SSH. I disable login by root user and enable public/private key login, but is this a DDoS attack? And does it use RAM/CPU?
What should I do?