NOTE: Updated 11/15/2016
There's been a sea change in the attack vectors coming into the testing server, and some interesting characters.
For approximately two weeks, we've been subject to "IP Agile" attacks. The term "IP Agile" is something borrowed from a piece of high end R&D lab equipment, a Fluke frequency-agile signal generator. The "IP Agile" attackers use numerous IP addresses that repeat only occasionally over a span of hours, evading tools like fail2ban. There also seems to be a specific cycle through countries, China, Brazil, Japan, EU (UK or France), Taiwan, then repeating, though I don't yet have enough data.