Intrusion Prevention with syslog-ng
Valentijn has published (blog post, mailing list archive) a nice hack using syslog-ng to actively react to intrusion attempts with patterndb and iptables. The blocking part is implemented using iptables recent match that is capable of closing an opened port for certain amount of time. This is controlled by syslog-ng: whenever a login failure is received, syslog-ng informs the recent module about that.
And please note that it doesn’t matter which application the intruder is trying to use, by feeding new rules into patterndb, you can have the same functionality for any of your applications, with the syslog-ng configuration unchanged.
Nice idea, thanks Valentijn.