Provided you have ssh set up to ensure that root cannot login directly and/or keys instead of passwords must be used, you aren't in much danger of being compromised. To ensure the logs are mostly kept clean however, you need yet another solution such as changing the port, port-knocking, or a script such as fail2ban, denyhosts and blockhosts. fail2ban is a script which writes blacklisted IPs to iptables then denies them access to every service including ftp and http, not just ssh. Because I don't believe a solution such as fail2ban will scale (it can't be healthy having tens of thousands of IPs in iptables), I use denyhosts on my servers and have done so successfully for the past 12 months. Denyhosts is a script which writes blacklisted IPs to hosts.deny, preventing them from accessing ssh as well as any other service which uses tcp wrappers. It has a truly wonderful feature where you can sync your results with a central server to share IPs for banning. This means my servers now have about 12000 IPs which are permanently blacklisted. There are just two disadvantages with denyhosts: with a large number of entries in hosts.deny, there is a noticeable delay (several seconds in my case) when logging in with ssh. And you can only deny requests which use tcp wrappers. I've never used Blockhosts, but I believe it is similar to fail2ban, in that it can disallow blacklisted IPs from accessing any service, not just ssh. Just one other thing: if you use a script, you need to be careful you don't accidentally ban your own IP (by entering a wrong password too many times) when accessing a remote server. :/ Whatever, you decided to use, the more security you have, the more awkward it will be to access your own server/s.