Hi Kevin, Thanks for your input, I have taken your ideas on board. In case anyone is interested here is an OSSEC configuration that works well for me;
decoder.xml: <decoder name="ssh-scan2"> <parent>sshd</parent> <prematch>^Did not receive identification|^Bad protocol version</ prematch> <regex offset="after_prematch"> from (\d+.\d+.\d+.\d+)$</regex> <order>srcip</order> </decoder> sshd_rules: <rule id="5706" level="4"> <if_sid>5700</if_sid> <match>Did not receive identification string from</match> <description>SSH insecure connection attempt (scan).</description> </rule> <rule id="100160" level="10" frequency="4" timeframe="360"> <if_matched_sid>5706</if_matched_sid> <description>Possible scan or breakin attempt </description> <description>(high number of identification failures).</ description> </rule> You may or may not need to change some things such as the rule id="100160". Also note that the decoder rule (and sshd rule 5706) probably already exists for you but I changed it a bit. This works fine for me by banning hosts who give me four identification failures in 360 seconds. Chris