Here you go - adjust recent count/time to taste. Make sure you keep them in the same order!
rule 5 {
action drop
description SSH
destination {
port 22
}
log enable
protocol tcp
recent {
count 4
time 60
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 6 {
action accept
description SSH2
destination {
port 22
}
log disable
protocol tcp
}
Also, as far as changing your SSH port: I see a lot of FUD about doing this on the interwebs. There's nothing inherently wrong with doing this as long as you understand that it's not a cure-all and should be used in combination with other best practices (rate limiting, public key authentications, good patching habits, etc. etc.). I like to think of it like buying a radar detector or laser jammer for your car: the goal isn't to make you untouchable, it's to make you a less attractive target than Joe Schmoe over there who has a login of root/password1 and is running a LAMP stack so old it belongs next to the Heartbleed and ShellShock exhibits in the museum of bad memories. Personally, I don't do this because it would be inconvenient for me to have to reference which port number SSH was running on every time I need to remote into a router.