The IP was in the syslog as well. Finding out the geographical location of an IP address is rather easy, actually. All you have to do is using the whois databases. For a domain name, you can use the whois database of the NIC (network information center) responsible for that TLD (top level domain). For an IP address (my curse on the people who say IP number), you will have to use the whois databases of ARIN (for american addresses), RIPE (for european addresses) or APNIC (for asian addresses).
In this example, the command "whois -h whois.ripe.net 18.104.22.168" explicitly states that it is an internet cafe in romania.
Anyway, might I suggest disabling password authentication entirely and only allow public key authentication?