This is what I use on my CentOS boxes/VMs, it rate-limits the connections and also rate-limits the log messages (to prevent attacks that attempt to fill up the server’s disk).
iptables -F
iptables -X
iptables -N LOGDROP #Create the LOGDROP chain
iptables -A LOGDROP -m limit --limit 1/s -j LOG --log-prefix "LOGDROP: " # Rate-limit the logging so the logs don't fill up the server
iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/16 -j ACCEPT # Allow everything from the internal network
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set # create the "bucket"
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP # if there are more than 4 connection attempts in 60 seconds from a given address, log-drop it.
After issuing these commands I run /etc/init.d/iptables save, that persists the rules to … somewhere. Alternatively I sometimes put all the above commands in some bash script and just call it from /etc/rc.local.
Evan Hoffman's Blog 