attempts to hack in?

Good afternoon, (f25 home workstation) While looking at journalctl output yesterday and today for other reasons (separate thread), I saw many "authentication failure" messages, over half also saying "user=root". I also saw many "password check failed for user (root)" messages. I saw many unknown user login attempts, and a few invalid user login attempts, and some attempts using one of the valid regular user names. Why? I am not yet good at reading journalctl output, so I don't know if these connection attempts are coming from "outside" or within this system. I don't know if I should be concerned or not. I do not intend anyone or anything to be able to get in to this system except for things that I initiate (examples: Firefox activity, Thunderbird activity, "dnf upgrade", installs, etc.). And it doesn't make sense to me that any of those would be trying to log in to this system to do what I want. I also don't see why anything on this system would try to log in to this same system except me personally (su, sudo, and actual logins). I am the only actual user. What's going on? How do I determine where they're coming from? Is there really someone or something trying to hack in? If no, what really is going on? Most important, How do I prevent connections from outside? thanks, Bill.