network sh

watchfor   /Invalid user \S+ from (\S+)/i
        mail=root,subject=swatch_error_log
        bell 3
        exec="echo sshd: $1 >> /etc/hosts.deny "

watchfor   /User \S+ from (\S+) not allowed because not listed in AllowUsers/i
        mail=root,subject=swatch_not_allowed
        bell 2
        exec="echo sshd: $1 >> /etc/hosts.deny "

外部にメールとばすくらいはしてもいいかも

karronoliの日記

柔軟性0なsshをはじくswatchrcメモ