Neil Aggarwal wrote: > It looks like BLOCK_SERVICE tells what to block once the > offender has been identified. > > What I am talking about is the process of identifying the > offender in the first place. It looks like only a failed SSH > login attempt will cause someone to be blocked. If they > try to attack another service (pop3s for example), > DenyHosts will not block them. > I've been using fail2ban for more than a year now. For now I only use it to monitor SSH. Fail2ban monitors log files (/var/log/secure for SSH) and if the authentication fails more than x times (3 for me) uses iptables to block (ban) that particular IP address during xxxx seconds (1h for me). Bans are logged identifying the IP address of the attacker. Fail2ban also works (or almost) "out of the box" with proftpd / sasl / vsftpd among others. It's possible to configure fail2ban to monitor other software/services such as dovecot. Look at fail2ban homepage for more info. You may find a nice article at http://www.the-art-of-web.com/system/fail2ban Manuel