A great solution for such scenario is an open source, Python-based application called "Fail2ban".
Fail2ban is capable of working with multiple log filesand multiple services.
The flexibility and integration with iptables is a major benefit of fail2ban - so the IP filtering is performed at the kernel-level.
Basically ,all of these should already be installed on your system (default install).
Installation process (I used a CentOS box for this example):
1)Install the application using Yum
#yum install fail2ban -y
2)Edit fail2ban configuration file called "jail.conf"
3)Under the[DEFAULT] section we can find global configuration such as - friendly hosts, ban time, search time etc, lets adjust these parameters to meet our needs.
Here we will allow localhost, firstname.lastname@example.org and 192.168.1.0/24 subnet to be ignored by fail2ban:
ignoreip = 127.0.0.1, email@example.com, 192.168.1.0/24
If the host is violating the rules it will be banned to this amount of time (in seconds):
bantime = 1209600
A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 1800
The number of failures before a host get banned.
maxretry = 3
4)Let's say we want to enable fail2ban scan on ssh log-in attempts.
Scroll to section "[ssh-iptables]" and enable it:
enabled = true
Next,change the the SSH logfile we want to scan:
logfile = /var/log/secure
Adjust the max failures the system will allow:
maxretry = 3
Comment out the "sendmail-whois" section and change it to your mail, so you will receive mail alerts when fail2ban has banned some IP.
sendmail-whois[name=SSH, firstname.lastname@example.org, sender=fail2ban]
5) That's it, save the file and restart fail2ban and iptables.#/etc/init.d/iptables restart
#chkconfig iptables on
#chkconfig failban on
Don't forget to check that email works, and you are done.