I also do see these ssh scans on a couple of boxes. I don’t think this is a distributed password cracking attempt (test is a bad choice, and even 100*8 tries is nothing)

I think this is just some new script kiddie tool scanning for known weak passwords. I’ve seen the usernames “user”, “test” and “guest”. I bet the passwords tried are similar…

Maybe Debian should disallow a certain set of really bad passwords by default. I wouldn’d suggest running full cracklib, but disallowing “user”, “guest”, “test”, “password” and “12345678” could at least discourage such scans (and prevent people from using such stupid passwords).