You can also use iptables for rate limiting, ala adding the following to
your existing iptables configuration:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED

:ALLOWED - [0:0]
-A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options --log-ip-options
-A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable

That limits the bad connections to 3 per minute, and you don't have to
worry about DOSing yourself.

On Wed, 29 Mar 2006, Matt P wrote:

> You can also Wrap sshd within xinetd
>
> service ssh
> {
> flags = REUSE
> socket_type = stream
> wait = no
> user = root
> protocol = tcp
> server = /usr/sbin/sshd
> server_args = -i
> log_type = FILE /var/log/sshdlog
> log_on_success = HOST PID DURATION EXIT
> log_on_failure = HOST ATTEMPT
> disable = no
> }
>
> Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
> hosts.deny work.
>
> On 3/28/06, Joseph Spenner wrote:
>> --- "Zembower, Kevin" wrote:
>>
>>> What's the current advice on dealing with scripts
>>> that repeatedly try to
>>> log onto SSH using a list of common usernames and
>>> 'password' for the
>>> password? I get up to 4,000 of these a day from a
>>> single server. In
>>> searching Google on this, I've learned of techniques
>>> using PAM and
>>> firewall rules that are created dynamically in
>>> response to log-in
>>> attempts.
>>>

>>
>> I've seen systems where an entry is made in
>> /etc/hosts.allow for sshd: for the offending IP if too
>> many attempts are detected. But in order for this to
>> work, your sshd must be compiled with tcp_wrappers
>> support.
>> I see this sort of attack a lot, and if the attacking
>> script hits a tcp wrapped ssh, it will stop
>> immediately. After a few minutes/hours, the entry can
>> be removed from hosts.allow (or not).
>>
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>

>