Nothing built-in, but you can automate what you do already. A cron job every five minutes using grep on your log file, issuing an iptables command...So, my question is this. Is there a way to tell ssh to refuse connections from an ip address after a certain number of failed login attempts, or is snort the only way to do something like this? So far I've been taking the manual approach, blocking the ip address with my firewall after I see it hitting the logs, but that can give them about an hour to play before I notice it (e-mailed to me by logcheck).
On the other hand, if he's already tried two or three times and failed to spot a criminally weak account/password pair, why bother blocking? I rarely seem to get more than two from the same IP in the same day. I haven't bothered checking all of them over the last three months.
-- Joe