[...]

> scripts trying to "brute-force" usernames and passwords do exist

As that's potentially useful information: So far, I've encountered two
systems which were successfully 'broken into' (sort of) by automated ssh
scanners (term). In both cases, this happened because of an accidentally
exposed special purpose non-root account. Once, someone was so
prudent to create a test account with a username of test and password
test and never deleted that. This was discovered months after the fact
and after access had accidentally been cut off by restricting ssh logins
to members of a certain group. The second time was with an account
created for one-time ftp upload of something (using upload/ upload)
which had ssh access and had accidentally left active after the upload
happened. It was my fault this time and my 'workstation' (at that time)
thus got broken into. I noticed this shortly afterwards because nearly
all available CPU time and bandwidth got eaten by ssh scanning processes
now running on this machine.

In both cases, this was a fully automated procedure, brute force
account, download the scanning software from the 'attacking' computer,
install it below /var/tmp and start it on the new computer. No humans
were ever involved. This is really some kind of primitive 'internet
vermin' someone set lose at some point in time and since then, it's
alive and replicates itself as good as it can.