On all our servers, we have scripts that detect breakin attempts.
For instance, on December 13, between 5:41.43 PM and 5:42.24 - yep, just 41 seconds - there were 49 attempts to log in to the server using "secure shell" as user "root" from 208.187.180.4. Obviously, this was an automated attempt; nobody could possibly be as fast and furious in their typing. The reverse DNS shows that to be web1.octelecom.net, in Provo, Utah. It might be a sysop running a shell script (although it's not too likely.) It might be a user running a shell script on their server. It might be someone using a script on another computer to access a proxy server on their server.
It doesn't much matter. The only person who should be trying to log in as "root" should be me. That IP address belongs to someone who is either trying to do evil, or is carelessly allowing someone else to try to do evil. It makes sense to block that IP address.
What's more, if that IP address is a threat to one server, it's a threat to all our servers. Our servers exchange information among each other, so that if an IP address is used to attack one server, it gets blocked from all our servers.
Once in a while, this can have unintended consequences. One of our users phoned me earlier today, indicating that she has been unable to use the ImageMaster101 utilities at playmaster101.com for about a week. When she contacted the folks there, they told her that we were blocking them. Indeed, it turns out that 65.175.14.239, their IP, is on our block list.
IP addresses are a scarce commodity, and hosting companies use the same IP for multiple domains. It could well be that some other domain on that IP address was the source of attacks. What's more, it's quite possible that the other domain isn't on that IP address any more. If you annoy the wrong person with a breakin attempt, he will launch a (highly-illegal) denial-of-service attack in retaliation. That attracts the attention of the hosting company, and they decide they can live without that customer.
So I've just manually removed the playmaster101 IP address from our block list.
But if there is another attack, the software will automatically stick it back on the list again.