The out of the box config options are pretty decent, giving a few attempts to most accounts but only one wrong password for root before blocking the IP address.
I have it send email notifications to my support ticket tracking system, which automatically sorts them so I can see how heavily I'm being attacked at any given time, or if one VM in particular is being targeted. (One VM has been a particular target over the holidays, so I just turned off SSH entirely and access it using the Xen console for now.)
The down side of having a good understanding of how much you're under attack is that it is a bit disturbing. In reality, I know that I could just leave SSH running on all my VMs, but turning it off when someone's targeting one of them reduces the flow of scary emails. The most disturbing thing is how many machines these guys must have already compromised, since as soon as you block one IP address another steps in.
http://denyhosts.sourceforge.net/
The out of the box config options are pretty decent, giving a few attempts to most accounts but only one wrong password for root before blocking the IP address.
I have it send email notifications to my support ticket tracking system, which automatically sorts them so I can see how heavily I'm being attacked at any given time, or if one VM in particular is being targeted. (One VM has been a particular target over the holidays, so I just turned off SSH entirely and access it using the Xen console for now.)
The down side of having a good understanding of how much you're under attack is that it is a bit disturbing. In reality, I know that I could just leave SSH running on all my VMs, but turning it off when someone's targeting one of them reduces the flow of scary emails. The most disturbing thing is how many machines these guys must have already compromised, since as soon as you block one IP address another steps in.