#
# rwsecure parses the /var/log/auth/all file for Invalid usernames or 
# Failed password.  If more than 3 invalid or failed attempts by one 
# IP, it will add that IP to your /etc/hosts.deny file.
#


file=`awk '/Invalid|Failed password/' /var/log/auth/all | sed s/.*from./""/ | sed s/port.*/""/| awk '{print $1}' | sort | uniq -c | sort -n | awk '{if ($1>15){print $2}else{}}'`

for i in $file
	do
		x=`grep $i /etc/hosts.deny | sed 's/.#.*//'`
		if [ "$x" ]
		then
			y=0
		else
			echo -en "ALL: "$i "\t# Added by rwsecure on "`date | awk '{print $2 " " $3 " " $4 " " $6}'`"\n" >> /etc/hosts.deny 
		fi

	done