For a more specific check, you could query internetdb.shodan.io and see if the client IP has port 22 open, has the "vpn" tag or is any other services that you wouldn't expect to see from a visitor. We have a bunch of enterprise users that created rules to filter traffic out from IPs that are compromised or otherwise look malicious.