This paper presents the lessons learned from an empirical analysis of attackers behaviours based on the deployment on the Internet of a high-interaction honeypot for more than one year. We focus in particular on the attacks performed via the SSH service and the activities performed by the attackers once they gain access to the system and try to progress in their intrusion. The first part of the paper describes: i) the global architecture of the honeypot and the mechanisms used to capture the implementation details so that we can observe attackers behaviours and ii) the details of the experiment itself (duration, data captured, overview of the attackers activity). The second part presents the results of the observation of the attackers. It includes: i) the description of the global attack process, constituted of two main steps, dictionary attacks and intrusions and ii) the detailed analysis of these two main steps.