Check your log files folks. I've noticed an increase in the number of automated attacks against SSH lately.
Below are some recent stats from a server with port 22 open. The data on this particular server was in /var/log/auth.log (Table 1).
It may be in another location such as /var/log/secure, or better yet on your syslog server, depending on your configuration.
These stats were accumulated between 21 and 23 March, 2011:
IP # of attempts Origin
18.104.22.168 3171 South Korea
22.214.171.124 641 Indonesia
126.96.36.199 565 China
188.8.131.52 461 Germany
184.108.40.206 138 Brazil
220.127.116.11 121 Peru
18.104.22.168 117 Bulgaria
Total Attemps: 5214
The crackers are using automated tools that scan for valid ssh logins using a username list.
The tools scan a range of IP's using the login name and record names that are prompted for login credentials.
The sites and names that come up on the list can be processed again, checking for weak passwords, or password brute force vulnerabilities.
The tools and method are not new, but the number of attacks seems much higher lately.
Usernames seen scanned for include common names such as root, web, and guest, but also guesses at real users like claudia and craig.
To see if any of the usernames you have configured may have been guessed, search for the names in the appropriate log file.
For example, sudo cat /var/log/auth.log | grep "Invalid user guest" replacing guest with the username you're concerned about, and editing the path to your log files.
Some protection from such attacks include disabling root login via ssh, using public/private key pairs for login instead of relying on passwords, and setting a maximum authentication tries threshold to thwart brute force password attacks.
Although it doesn't protect against this particular attack, it is also good practice to keep your system, including your ssh daemon up to date, and to only allow SSH version 2 connections.
How you go about setting these protections will vary depending on the flavor of Linux or BSD you are running.