On servers with static IP and the need of ssh being public accessible, you just can not live without it. The rule consists of two entries, the first one matches and remembers, the second one handles the remembered packets:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

For this feature to work, there needs to be support for state and recent matches inside the kernel.