Change your SSH Listening Port
SSH allows you to change the listening port to a non-standard port (other than port 22). This is not really a good solution, but will make it more difficult for brute force scripts to find your SSH port without doing a portscan first.
To change the listening port, just edit /etc/ssh/sshd_config and look for the line that says:
Uncomment this line, and change the port number to something not currently used by the system. Be sure to restart SSH to reload the configuration.
Turn off SSH Password Authentication
Use SSH certificate-based authentication, and turn off password based authentication. That’ll stop them. This is not a good solution for all cases.
DenyHosts will stop attempts from known problem IP addresses.
Fail2ban can also be used for other services such as FTP, IMAP, POP3, and others.
SSHGuard will watch and parse your log files, then dynamically ban IP addresses based on unsuccessful login attempts. Not only does this utility handle SSH, but it also handles a number of other services including dovecot, proftpd, pure-ftpd, and others.
pam_abl will auto-blacklist hosts and users who try repeatedly to unsuccessfully log in.
Get Really Paranoid
Get out your tin-foil hats… Just because you’re paranoid, doesn’t mean they aren’t really out to get you! Consider installing the Firewall Knock Operator, which will deny any potential intruders before they even connect!
Disable SSH and use Telnet
The script kiddies will never see this one coming!
We’re just kidding. Telnet sends passwords unencrypted and should never be used.