SSH attacks

The attached file contains 36 months data sorted in descending order by number of attempts and originating ip address.
Is it possible to block any type of communication with an ip address after so many (5 or 10) failed attempts. The documentation(for Openssh) says that it is possible to slow the login rate after so many (default 10) failed passwords, but that only seems to apply if the perpetrator logs in once and repeatedly enters passwords. If each attempt is only the first attempt then this rule does not apply.

Not sure if this helps. Fail2ban, look it up

fail2ban(8) - Linux man page

Check this iptables article
SSH Dictionary Attack Prevention with iptables HostingFu

Thanks for the links. It's for SCO not Linux, but there was lots of good reading material.

I came up with a rather simple solution (at least I think).
I used a password generator to create a new random 8 character user name.
Assigned a generated password to it, and gave it su privilege.
Then I added "Allowuser xxxxxxx" to sshd_config.

Do you mean you've configured it so only that randomly-generated user can ssh in?

Yes...so first they have to guess the user id, then they have to guess the password.
The users in the office use telnet (port 23) and port 22 is the only open port in the router.

That sounds very secure indeed. They'll still clutter up your log files, but oh well.

Maybe you can invoke this script

#!/bin/bash

(( ${#} != 1 )) && lim=10 || lim=${1}
while read num IP; do
      if (( num > lim )); then
            if ! grep ${IP} /etc/hosts.deny; then
                echo "sshd:${IP}" >> /etc/hosts.deny
            fi
      fi
done < <(awk '/Failed/{print $(NF-3)}' /var/log/secure | sort -g | uniq -c)

or

#!/bin/bash

(( ${#} != 1 )) && lim=10 || lim=${1}
while read num IP; do
      (( num > lim )) && /sbin/iptables -A INPUT -s ${IP} -j DROP
done < <(awk '/Failed/{print $(NF-3)}' /var/log/secure | sort -g | uniq -c)

add the script to crontab!