#!/bin/ksh


MAX=4
TABLE=sshdbrute

function usage
{
cat << EOF
$1: [-m <min>] [-t <table>] [-h]
	must be run as root
	-m: minimum number of failed attempts (defaults to 4)
	-t: pf table to add records to (defaults to sshdbrute)
	-h: display this help
EOF
}

if [ `id -u` != "0" ]; then
	usage $0
	exit
fi	

for i in `getopt ht:m: $*`
do
	case "$i"
	in
		-m)
			MAX=$2;shift;shift;;
		-t)
			TABLE=$2;shift;shift;;
		-h)
			usage $0
			exit; break;;
		--)
			break;;
	esac
done	

cat /var/log/authlog \
	|grep Failed|grep invalid \
	|awk '{++badguys[$13]}
		END { for ( item in badguys )
			if (badguys[item] > max) print item 
		}' "max=$MAX" \
	|tee -a /tmp/sshdblock \
	|pfctl -v -v -t${TABLE} -T replace -f - \
	| grep -vE "^( |no)"