After I researched some of the options in the past (all of which required installation of more software), I decided on an iptables entries that 'flag' and DROP the IP for 5 minutes after 5 connection attempts.
iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --update --seconds 300 --hitcount 5 -j DROP iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --set
This also covers scanning of the port if it takes more than 5 tries to determine it's SSH. Configuring SSH or your port forward to connect to the SSH on a non standard port reduced my scan attempts to 0%. Be careful that you type your password correctly from now on...you only get 5 attempts...lol.
- Lynwood KB3VWG