I do something similar, but just for ssh.
I have a line in /etc/pam.d/sshd that says
Code:
auth [default=ignore] pam_exec.so /usr/local/bin/ssh_lockout
/usr/local/bin/ssh_lockout looks like this:
Code:
#!/usr/local/bin/ruby
ip_format = /(\d+\.){3}\d+/
today = %x[date | awk '{printf "%s %s %s",$1,$2,$3}']
failed_ips = %x[lastb -i | grep "#{today}"].split(/\n/).collect{|line| line.split(/\s+/).select{|substr| substr =~ ip_format} rescue nil}.compact
last_failed_ip = %x[lastb -i -n 1].split(/\s+/).select{|ip| ip =~ ip_format}.first
if failed_ips.count(last_failed_ip) > 5
if %x[grep #{last_failed_ip} /etc/hosts].empty?
%x[echo "sshd : #{last_failed_ip} : deny" >> /etc/hosts.deny]
%x[echo "#{last_failed_ip} has been blocked at #{Time.now}" >> /var/log/ssh_lock]
end
end
So every day, if an IP gets more than 5 incorrect login attempts, it gets added to /etc/hosts.deny for sshd.
I do it on a daily basis in case I'm having a bad day.