How can we limit the impact of ssh probes?

I followed these instructions to add a 7-second delay to each wrong-password SSH login attempt. I made my sshd into a "tarpit" for the brute-force scanners.

I should also add that I have my modified, tarpit sshd log the failed passwords. This may not be entirely ethical, as it gives the root user a look at what regular users mis-type as their own passwords, but since I'm the only "real" user, I figure that's OK.

I don't have it run on a non-standard port, as the "tarpit" aspect would not waste anyone's time.

It is indeed a fact of life. You can install tools to filter out hosts that are attacking you after a couple of failed attempts.

DenyHosts analyzes your log files and automatically adds attackers to your /etc/hosts.deny file.

Check the documentation on how to configure it for your needs.

Update: some important points suggested in the comments

• be sure to properly configure tools as DenyHosts since you could lock yourself out (e.g., you can configure a machine or network that is never filtered)

• DenyHosts does not increase your system security: it only filters attacks at the IP level (it might reduce the load on small machines and reduce the size of the log files but nothing more)

If only a small number of people need to SSH to the system then consider moving SSH to a non-standard port (e.g. 6422, 8080, etc.) That alone will reduce the number of login attempts greatly (and possibly protect you from some unpatched SSH exploit based worm, for example).