Re:automated responses to probes? (Score 2, Informative)

Add a rate limit to your incoming ssh syn connections and drop the ones that go over the rate limit. Also, remove password authentication and only allow rsa authentication. With these together, ssh attacks will disappear from your logs.

For example:

$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP --dport 22 -j allowed
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
$IPTABLES -A allowed -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] '
$IPTABLES -A allowed -p TCP -j REJECT

Note. Only turn on the output to log when you want to see what is going on. Otherwise, just comment out that line.