I happened to look at my /var/log files. Most were empty. Not auth.log. Looks like I've been brute force attacked on ssh from a known bad IP address (I googled it).
So, I looked up how to restrict ssh attacks, and found this article at https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/
Block SSH Brute Force Attacks with IPTables
January 27, 2010Jeff HuckabySecurity
Detecting a SSH Brute Force Attack