So far it is a no go, we just tried to re-setup bastille and are still getting iptables warnings. We are still though looking into it.
BTW - If they got in through ssh, it should show in the /var/log/ area of files. Check messages to see if the account name is there it should be and in secure it should show if the correct passwd was used.
We have Bastille up and running again with the latest kernel, the main trick is to ensure that the kernel is compiled with all the iptables components as modules. Then setup the default rule so psad functions properly.