You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course.
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h...
You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) )
Thanks for all the replies! I've found setting "MaxAuthTries 2" with a combination of the iptables rules works great! I can hardly wait to get attacked again to watch it work. ;-) The only problem is iptables can't tell the difference between a sucessful login and a failed login, but that's not usually a problem as long as I don't open a bunch of SSH connections all at once. I'll check into swatch when I get time, but for now I'll share the iptables rules I ended up with with this list as my thanks to everyone. This will block any IP for 60 seconds that tries to connect 5 or more time in a one minute time frame (along with logging it). It's easy to test, just login multiple times and ALL the connections will freeze for awhile when you hit the login limit: iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name sshattack --set iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j DROP - BS