I recall reading something many years ago which stated an 'unprotected' Windows machine was vulnerable on the web within 4 minutes. It wouldn't surprise me if it's less than that now.A blast from the past...
If I switch on SSH to our Synology, I will have rejected login attempts within the hour. With our FTP server, we get attempts every few minutes - our blocked IP list is huge. You can just watch the logs expanding before your eyes with all the password guesses.
Here are some tips for the uninitiated (which really falls under common sense): Don't ever use 'password', '1234', 'qwerty' or 'xxxx' as a password. Don't use 'admin' for a username. For whatever reason 'slade777' and 'flow3r7' feature prominently as password guesses in our logs.
Also don't have the password and username the same, or the password the same as the domain name - these are very common attempts from people trying to password guess us.
Finally, if you don't need to have your machines exposed to the outside world, don't expose them.