I been having odd number of script kiddies trying my ssh access on firewall. It was not much so up until now, I been manually severing them; however, recent 250+ zombie attack made me come up with solution. I couldn't find any Debian specific one, but few Red Hat ones. So here it is. It is provided under GNU license.
Few things I assume you have already is: you have iptables installed and module installed. You also should have sane log turn over policy in place. If you don't, google is your friend 
Please, do take the time to study your log file and recognize the pattern and customize if needed. Make sure it runs as root or somebody who can execute this. I have omitted "iptables -F" because I have a cron job at the beginning of the day doing just that. You could leave it alone, but your table may get too big. I'll leave it to your judgement. After all is done, simple cron job will do the trick. Mine runs at every minute.
Simple script to do dynamic ssh ddos:
#!/bin/bash
grep -i "Failed keyboard" /var/log/auth.log | awk '{print $13};' > /var/log/block_tmp
grep -i "invalid user" /var/log/auth.log | awk '{print $10};' | grep -vi "user" | grep -vi "pwd" >> /var/log/block_tmp
grep -i "Did not receive identification string" /var/log/auth.log | awk '{print $12};' | grep -vi "user" | grep -vi "pwd" >> /var/log/block_tmp
sort -n /var/log/block_tmp | uniq | grep -v "UNKNOWN" > /var/log/listing
if [ -e /var/log/old_listing ]; then
diff /var/log/old_listing /var/log/listing | grep ">" | sed 's|>||g' > /var/log/block_tmp
else
- rm /var/log/block_tmp
- cp /var/log/listing /var/log/block_tmp
fi
rm /var/log/old_listing
cp /var/log/listing /var/log/old_listing
for i in cat /var/log/block_tmp
do
- iptables -I INPUT -s $i -j DROP
done