I have added this on my web server to limit the SSH brute force attacks, and it works quite well.
But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)
What it does is that it logs and blocks the third attempt and it just blocks the 4.+ to avoid my logs are flodded.
iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP