Can you supply details of what is in the access list? It might be something in the access list or it might be something in the way that access-class on the vty does the checking. One advantage of access-class is that it is applied to any packet whose destination is any IP address on the router. So you do not need tp specify specific destination addresses to be checked if you are attempting to use extended access list. Since the access-class is not checking against specific destination addresses that may be the reason why the destination address in the log shows as 0.0.0.0
In general it is not good to try to enforce that only SSH is accepted by access list on the vty. A much better solution is to specify transport input ssh on the vty.
I am slightly surprised at some details of your symptom but basically I believe that what you are seeing is expected behavior and normal.
I have routers with similar configuration of a standard access list which permits only specific hosts or subnets and then has deny any log. The standard access list is applied with access-class in on the vty ports. In my logs I see the source addresses being denied but I do not see anything about destination address or about port numbers. So I am surprised that your logs are including destination address and port.
But if your logs are showing destination address and port then I believe that it is normal behavior for them to show as zeros. It is a basic aspect of access list logging that the access list can only report fields that it has examined. So if the access list has not examined the destination address and has not examined port numbers then it can not report on these fields.
If your router is connected to the public Internet with a public address, which would seem to be the case, then it is also normal that there will be many attempts from the Internet to probe your router and to attempt remote access to it. I see this as very common behavior on routers that I support that connect directly to the Internet and have public addresses.
I see that your router is protected by limiting transport input to only SSH and the access class limits what can access it. So I believe that your router is fairly well protected. If you really want to know specifics of what they are attempting then I would suggest that in addition to what you have shown us that you configure an extended access list whose first several lines would deny any traffic whose destination address is the router itself (assuming that there is not any legitimate traffic coming from the Internet to the router itself (and if there is traffic from the Internet to the router itself that is legitimate then you would need to permit it in the access list). It might look something like this
access-list 151 deny tcp any host gr 1 log
access-list 151 deny udp any host gr 1 log
access-list 151 deny ip any host log
then there would need to be lines to permit other traffic.
and if you believe that there might be attempts to access other interface addresses on the router (which I think is not so likely) then you would need similar logic to handle the other addresses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :