[Sshguard-users] Blocking Attacks

[Art S. <art...@gm...>]

Is there a away to setup certain types of log messages to be banned on first
attempt, and the rest at the default of 4?  The reason why I ask is because
I like the idea of the default of 4, since users can make mistakes when
trying to log in, and that gives them a little room for error, but there are
certain log entries that I feel should be banned on first attempt, example.

Oct  2 13:26:27 srvtwc sshd[7642]: User root from mx.referent.ru not allowed
because not listed in AllowUsers
Oct  2 13:26:27 srvtwc sshguard[30833]: Successfully resolved '
mx.referent.ru' --> 4:'86.111.5.38'.
Oct  2 13:26:27 srvtwc sshguard[30833]: Matched address
86.111.5.38:4attacking service 100
Oct  2 13:26:28 srvtwc sshd[7642]: error: PAM: Authentication failure for
illegal user root from mx.referent.ru
Oct  2 13:26:28 srvtwc sshd[7642]: Failed keyboard-interactive/pam for
invalid user root from 86.111.5.38 port 33046 ssh2
Oct  2 13:26:28 srvtwc sshguard[30833]: Matched address
86.111.5.38:4attacking service 100
Oct  2 13:27:43 srvtwc sshd[7645]: User root from
119-210-96-87.cust.blixtvik.se not allowed because not listed in AllowUsers
Oct  2 13:27:43 srvtwc sshguard[30833]: Successfully resolved '
119-210-96-87.cust.blixtvik.se' --> 4:'87.96.210.119'.
Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address
87.96.210.119:4attacking service 100
Oct  2 13:27:43 srvtwc sshd[7645]: error: PAM: Authentication failure for
illegal user root from 119-210-96-87.cust.blixtvik.se
Oct  2 13:27:43 srvtwc sshd[7645]: Failed keyboard-interactive/pam for
invalid user root from 87.96.210.119 port 41754 ssh2
Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address
87.96.210.119:4attacking service 100
Oct  2 13:28:49 srvtwc sshd[7649]: User root from
static-87-79-66-203.netcologne.de not allowed because not listed in
AllowUsers
Oct  2 13:28:49 srvtwc sshguard[30833]: Successfully resolved '
static-87-79-66-203.netcologne.de' --> 4:'87.79.66.203'.
Oct  2 13:28:49 srvtwc sshguard[30833]: Matched address
87.79.66.203:4attacking service 100
Oct  2 13:28:50 srvtwc sshd[7649]: error: PAM: Authentication failure for
illegal user root from static-87-79-66-203.netcologne.de
Oct  2 13:28:50 srvtwc sshd[7649]: Failed keyboard-interactive/pam for
invalid user root from 87.79.66.203 port 51639 ssh2
Oct  2 13:28:50 srvtwc sshguard[30833]: Matched address
87.79.66.203:4attacking service 100

I've noticed in my logs recently since I've started to use sshguard, that
the attackers scripts are smart enough to know, or remember, that your
server is running sshguard or a service similar, and will attempt brute
force attacks from a rotating set of ip's as to which they will never get
banned by doing this so long as they have enough ip's to come in from.  The
logs show that sshguard is picking it up as an attack properly, but by the
time they cycle through their list of remote ip's and use one that sshguard
has seen already, it's been over the time period where it would count it as
a second attack.

Anything that shows up as "not lised in AllowUsers" or "failure for illegal
user xxx" should be banned on first attempt.  That would be a great addition
to your already awesome app.