Distributed brute force ssh attacks

Simple enough- setup 1 extra machine that is exposed to the same environment as the machines you'd like to protect, but allow no user logins. Configure the box to track all attempts to log in. Voila- all ip's you capture are bogus (save for the occasional user typo) and can be blocked on your other nodes. Yes, with a large enough botnet pool, every attempt on separate nodes in your network could be done with unique bot, but I don't think the hack has advanced that far as of yet.

Even better, combine this with mosfet's suggestion, and move all the "real" nodes to port other than the standard ssh ones.

This used to work, but some of the botnets have gotten to scanning ports 0-65536 slowly to see what's up. They then come back later at your high port. Thankfully its not a lot of them, but my guess is that at some point every botnet will have the logic in it.

I changed from port 22 to port 443 for SSH on my home machine and haven't seen any brute force attacks on it since. (It's been a couple of years now).

Oddly enough, I had to change it because my employer started blocking outgoing connects to port 22. I think they only allow 80 and 443 now.