Something that I haven't seen mentioned in these discussions is pam_shield. It hooks into PAM,
actively knows and registers when a failed attempt to logon has happened and takes action when
something is beyond a certain treshold.
The default action it takes is to null-route the source ip address for a certain amount of
You can provide a list of networks that it should never null-route (to protect your own
systems from being blocked this way).
To me this system is perfect since:
- it does not have to scan a log files every X time
- it does not mess around with the firewall (or it could if you so like)
- it works on more than just SSH (FTP or else anything in PAM)
- it is pretty simple and straightforward to use
- it is very customizable as the action to take can be a simple script
You can get pam_shield from: