This is a simple script to parse one's secure log and add IP's that have more than x failed login attempts to the hosts.deny file. The number of attempts required before they are blocked is configurable via a variable in rwsecure.
You can specify the path for your secure log by editing the secureLogPath variable in rwsecure. The default is /var/log/secure
Put this file in any directory of your choice and use the cron to run this program every few minutes, hours, or days... adding this entry to your crontab will have it run every 5 minutes: */5 * * * * root /yourdirectory/rwsecure
This is just an example of a way to run it without user intervention.
Suggest you stop logging info level messages from auth, or log them in a seperate file, if you run this program every few minutes as misc cron messages can start to fill your logs.
Program will append to /etc/hosts.deny (however, this file can be changed by changing the variable in rwsecure, just vi rwsecure and make change the HostsDenypath to whatever you want) Sample program output:
ALL: 82.140.81.26 # Added by rwsecure on Sep 17 18:18:01 2005
ALL: 67.15.20.58 # Added by rwsecure on Sep 18 04:42:01 2005
ALL: 211.78.142.116 # Added by rwsecure on Sep 18 06:22:01 2005
ALL: 130.215.226.185 # Added by rwsecure on Sep 19 04:26:01 2005
ALL: 70.85.221.46 # Added by rwsecure on Sep 21 09:26:01 2005