How to respond to a SSH brute force attack on a single VPS?
Yes, this is a perfectly reasonable and common approach. However, you've reinvented fail2ban. You probably want to switch to using that instead so you don't have to debug issues with your script and can make use of the existing filters for ssh, apache, and other common services.
Unfortunately, there is not terribly much you can do with these IPs. You can try to report the activity to the abuse contact listed for their IP block, but it's not really worth your time unless they do something more serious.
You should also do the standard ssh hardening, like disabling password-based and root logins unless you absolutely need them.
The most effective way to secure SSH system is to login using ssh private key only. You should disable password authentication and disallow direct root login. After that, you will still get many failed authentication attempt, but there's no chance in hell brute force attacker will be successful.
If you want to keep your logs clean after this, you should move your SSH port to a different port number.
It may be intimidating to see a million failed login attempts, but honestly the bandwidth and processing power these attempts are using ... is trivial.
So the real question becomes, is your system secure:
- Did you disable root login?
- Did you disable password authentication in favor of pub key?
- Did you change the default port of the sshd service on your VPS?
all of these changes can be done in the /etc/ssh/sshd_config file (make sure you restart sshd after making your changes)
You could use fail2ban, or some custom script to block these IPs on the firewall but the sshd authentication by itself is secure enough on its own ... adding more complexity is not necessarily any more secure and will most likely cause you to accidentally lock yourself out of the vps.