Alex Pelts wrote:

> I can think of many things to put in sshd if I am to modify the code.
> The thing is that I don't want to modify sshd code.

So you'll have to settle for layer three/four solutions, which are,
IMHO, do more harm than good. This is (another) classic case where you
need application-internal state to make a decision, which is not
possible if you don't want to modify the sshd code.

I tackled this problem (well, I cared more about not having my logs
filled up) 2+ years ago by writing a generic piece of code you could
just call from the failed login path of an authenticating daemon to
do the work for you.

Other solutions include parsing log files in real time, changing the
port sshd listens on, or using port knocking -- one word describes all
of those, and it's "yuck".

-e.

-- 
Elad Efrat