I'm running an SSH server on my personal computer. The log had many people(or bots?) repeatedly trying to log in to my server (that is before I changed the default port), which made me a little freaked out. I was worried about their dictionary attacks or brute force password guessing.
But then if you type wrong password (or wrong username), the server waits for about 2 seconds before it asks for password again. So an attacker can try one password per 2 seconds. So I concluded that these attacks aren't that great a threat (as long as your password does not consist of dictionary words.) Am I correct?