This would have been fun to put onto production machines. We had a botnet that was running ssh bruteforce with 10s requests per second with unique IPs. It stopped after we disabled password auth.
Whoops, silly me / more coffee needed. All my servers have:
PasswordAuthentication no
ChallengeResponseAuthentication no
so sshd never generates a password prompt.
They all run on a non-standard port, and it's somewhat rare to see more than one unique IP address connection attempt, but every few days you see a few hundred in sequence from a script too dumb to notice.