I use FreeBSD and I use denyhost for block ssh attack , I do not want use Firewall like PF and IPFW ,
can I find best way for block SSH ,
Denyhost block 200 ssh for me in one day.
Can I find best way ???

1) disable SSH (the most secure, method. lol)
2) change default port to much higher (by default it is port 22, everyone know that)
3) use long and hard to break password
4) disable root login to ssh, only enable user to log in and then su or even better sudo to root (everyone know there's root on Unix)
5) Change passwords frequently
n) Try using google for more

For me changing the port has worked wonderfully against automated brute force atempts.

# cat pf.conf
block quick proto tcp from <brute> to any port 22
pass quick proto tcp from any to any port 22 keep state \
(max-src-conn-rate 20/60, overload <brute> flush global)
works fine for me.

I had some troubles rewriting management shell scripts using non-standatr ssh ports.

even better would be to use ssh-keys rather than passwords;
other ideas are still applicable though.

even better would be to use ssh-keys rather than passwords;
other ideas are still applicable though.

i wanted to write that, but forgot....lol
btw is it possible to combine keys and passwords

check out sshguard in ports, it can use hosts.deny instead of firewall if you want to do it that way.

changing the ssh port does a good job to discourage casual hackers.

I have it on port 2222, and on port 22, but 22 is blocked completely unless you are on my approved list of ssh-ers.

In other words, I use a firewall, which exactly doesn't answer your question.

I would suggest to use all of the mentioned above:

1) Running ssh on another port
2) Use keys instead of passwords
3) Use firewall rules together with port-knocking method (security/knock)

I do not want use Firewall like PF and IPFW ,
can I find best way for block SSH

Do you specifically want to avoid a packet filtering firewall? i.e. Would tcp wrappers or @HOST sshd directives be acceptable?

To ask the question another way: Do you want to restrict access by subnet, but wish to avoid "firewalls" for some reason?

# cat pf.conf
block quick proto tcp from <brute> to any port 22
pass quick proto tcp from any to any port 22 keep state \
(max-src-conn-rate 20/60, overload <brute> flush global)
works fine for me.

I had some troubles rewriting management shell scripts using non-standatr ssh ports.

that allows 20 every 60 seconds right per ip? if exceed then goto brute table?

Correct. May be 60 is too many for ssh. You may set to 10 or 5. But it very unpleasant when your firewall is blocking your connection to box.

We also use that system to block virussed spammers inside our network
block quick proto tcp from <spammers> to any port 25
pass quick proto tcp from <grey_clients> to any port 25 keep state \
(max-src-conn-rate 15/60, overload <spammers> flush global)

1)limit ssh to specific networks in ssh config
2)limit access to ssh from specific hosts
3)use keys and not passwords.
4)change ssh port from 22.
5)limit ssh to specific user accounts.
6)use a good password.
7)obscure system access but allowing logins to low privilege accounts and setup sudo to grant access to a privileged shell and only that.

I'm using the following strategy:

1) use different port to get rid of annoying log entries
2) PermitRootLogin no
3) AllowUsers <very odd and long username> (only user allowed!)
4) That <very odd and long username> is an unprivileged user
5) su from <very odd and long username> into <priviledged user> which is member of wheel group
6) su from <priviledge user> into root, if needed

Old post, but still relevant and appears well ranked in search engines.

For me changing the ssh port to <something_else> works very well. Kiddies won't spend time probing you ports and will move on to the neighbour's.

What everyone else said is great.
As for me:
1. I use port 2222,
2. a strong password,
3. in /etc/sshd/sshd_config I use 'AllowUsers' and restricted who has access to login
4. I use denyhosts "http://www.freshports.org/security/denyhosts/" It rocks.