I'm really getting sick and tired of this damn ssh worm that's going around. Pretty much every morning I get a bunch of entries like this from various 0wn3d systems admin/password from 207.234.184.143: 40 Time(s) guest/password from 207.234.184.143: 20 Time(s) root/password from 207.234.184.143: 2722 Time(s) test/password from 207.234.184.143: 100 Time(s) user/password from 207.234.184.143: 20 Time(s) No sense in firewalling these servers off because the IPs change every day and it just makes me insane. Course, lately I've been thinking of using something like SnortSAM to make me feel better :)
Ya, I get the same thing... so I've added some firewall rules to known "good" netblocks and local ISPs (eg 70.0.0.0/8).
If you've got PHP, take a look at the scripts located at the below URL. It monitors auth.log watching for these events, and adds a rule to block it. Then setup a crontab entry to clear those rules every other minute (in case you lock yourself out at some point)
http://www.pjkh.com/~philip/sshmonitor/