We should really detect more networks attacks in Mandriva's Interactive Firewall project, and SSH brute force attacks are today's plague.

Some solutions use the ipt_recent module from iptables to blacklist users if they try too often to connect:

• an howto with iptables commands and ipt_recent
• a solution using shorewall and ipt_recent

Some programs parse logs to detect attacks (/var/log/auth.log):

• Script Kiddy Defence Script (skds), using shorewall
• sshdfilter

But I'd rather use more integrated solutions, instead of connection count heuristics or logs parsing. pam looks like the exact component where this detection should take place, we already mentionned it when IFW was designed, with Fred Lepied.

It seems the pam_abl already does that (see pam_abl's doc). A further effort could be to blacklist the attackers not only in pam, but also in iptables, using some Interactive Firewall notifications.