>
> That program would then, upon receiving a 'sniff' or 'user' would then add
> that ip to the deny hosts lists..for either a long or short time.
>
> Using this would seem like a win as you can easily grab someone before they
> can get somewhere one hopes.
> Also, by opening up a few other ports that are unusual like 8561....well, if
> someone sniffs that it could be a 3 day ban or a month...
>
> In other words, anyone hitting those ports that are not being used at all
> except by our sniff protector, would allow instant banning.
>
> So...does something like this exist?
fail2ban... near enough a fit...