After thinking about it some more, and looking at the results of my previous iptables setup, I switched to Fail2Ban.<

The main reason for the switch is the versatility. On some boxes I want a permanent ban for failed logins as only admin staff has logins. I want to be able to ban on failed ftp logins. And one day, I may want to ban on failed http auth.

Ahh the joys of having a server on the public 'net.