I guess many people is using SSH honeypots like kippo.
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
some interesting features:
- Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
- Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
- Session logs stored in an UML compatible format for easy replay with original timings
- Just like Kojoney, Kippo saves files downloaded with wget for later inspection
- Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc