what to do if attacker's IP address is not in the same log line as error message?

Hi,

The software is an elegant security solution, just pity it's not applicable to SSH2. The reason is that the SSHD2 daemon splits its messages into multiple log lines. A typical example:

sshd2[PID]: connection from "1.2.3.4"
sshd2[PID]: WARNING: DNS lookup failed for "1.2.3.4"
sshd2[PID]: password authentication failed. Login to account admin not allowed or account non-existent.

In the above case, 1.2.3.4 is trying out possible passwordless accounts and should therefore be banned. Since SSH2 is, for security reasons, widely preferred over the previous protocol version (SSH1), the software would gain from being able to parse this kind of output.

would be tough... try OpenSSH?

Parsing multi-line logs would be tough, will have to depend on PID to match up all the lines, and then do a search.

But, alternately: I did a quick search on sshd2 - who makes that? It does not seem to be open-source?

To get the security of SSH Protocol 2, you can use the OpenSSH package. Its log files are parsed by the current rules in blockhosts, and it does put the IP address in each failure line.