From the diary of ISC yesterday:
While I'm aware that ISC readers probably don't have to be told, let's nevertheless try again to get the word out: If you are running any SSH server open to the Internet, and your usernames and passwords aren't at least 8 characters or so, your box is either owned by now, or about to be. It doesn't matter one bit what sort of device it is - those who run these scans have proven to be equally apt at taking over a Cisco router as they are at subverting an iMac.
My own router records led me to believe there has been a marked increase in SSH bruteforce attempts quite some time ago, so I've disabled all internet facing SSH and only enable it, with very limited IP address access, if and when I need it.
If you're allowing SSH access to your network, it's definitely time you considered how secure it really is, and if you really need it. Botnets are getting bigger and quicker and may soon own you if you're not careful.