How to deny suspicious hosts

I think your problem lies a little deeper. The issue isn't with hosts.allow or even the firewall.

hosts.allow only has any real effect when you also have a hosts.deny file that blocks unwanted addresses. man 5 hosts_access goes into more detail.

The specific problem you're encountering here is with the sshd_config option KerberosGetAFSToken. For whatever reason, this option is causing an sshd error and would likely occur regardless of whether a legitimate or illegitimate user was trying to log on.

What's most concerning is that KerberosGetAFSToken is a standard configuration command that should work, and exists in the default configuration.

You can stop this login attempt by adding the relevant IP address to /etc/hosts.deny but I'd look to spend some time working out why the sshd_config is now throwing errors.

You need to employ one of the below to block password based 'attacks' against an Internet-facing ssh server:

DenyHosts: http://denyhosts.sourceforge.net/

BlockHosts: http://www.aczoom.com/cms/blockhosts

You should also setup your ssh server to use key-based logins not password-based logins.

The IP address, 222.73.216.8, that you are seeing is from a netblock in China. Chinese-based ssh dictionary attacks have been a common problem for many years.

Additionally, comment out this line, KerberosGetAFSToken in /etc/sshd_config as this is for the AFS filesystem that is not supported OOB on OS X.

Would this be something I could use?

No. This will not stop dictionary attacks against your ssh server. What it could do is be used as a DOS against your directory server. Any Internet facing system that employs a directory backend could easily be used as way to deny service to your internal clients simply by way of overwhelming it with requests. Vulnerabilities in the Pluggable Authentication Module (PAM) could possibly lead to privilege escalation that might be used to take over the box, also.

And if I set up that, does that mean that only those computers which are authenticated to OD are allowed to access ssh?

Yes. Even employing the GSSAPI-with-MIC method of login would limit the ability to login to the server to OD bound clients only.

Does this mean I will not be able to ssh into the server form home?

Yes.

Your best course of action is to employ key-based authentication -denying password authentication and 'root' user logins- by employing a method of blocking password-based attacks such as one of the software solutions posted earlier. Manually adding hosts to the /etc/hosts.deny file will soon become a daily task for you to protect your ssh server.