Okay, I know this post is old, but I hate unanswered posts! In case anybody is sitll interested in an answer to this question, here's a script that I used to use to block IP's with excessive ssh login failures. You may need to change some things depending on what flavor of *NIX you run it on. In its current configuration, it should work on a RedHat Enterprise 3 system, and will add any IP address with 10 login failures (since the log was rotated, which was daily in my case) to a block list, and send an email notification.
I also had some firewall rules in there originally, but I cut them out for this exercise. It could be easily modified to get usernames as well, and you could use the log that it generates as your printed report! Let me know if it's useful.
Code:
#!/bin/bash
########################################
##
## Jeo's login failure detection script.
##
########################################
########################################
##
## Set Variables here!
##
########################################
LOGFILE="/var/log/secure"
TMPFILE="/tmp/punkd.log"
BLOCKLIST="/tmp/block_list"
MAX_TRY="10"
DELAY="20"
EMAIL="you@yourdomain.com"
TRUSTED_IPS=""
########################################
##
## Here we use a "while" loop to keep
## things rolling...
##
########################################
while true; do
########################################
##
## Count the failures and make a
## 2 column tmp file in the format of:
## <COUNT> <IPADDR>
##
########################################
grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE
########################################
##
## Use 'exec' to direct the output of
## the tmpfile to 'read' in our next
## loop
##
########################################
exec < $TMPFILE
########################################
##
## Use 'read' to break out the ip and
## the number of occurrences, check
## for existence in block list, and
## block if necessary
##
########################################
while read COUNT IPADDR ; do
## Check to see if the IP is already in the list
PRE=$(grep $IPADDR $BLOCKLIST)
## If it's not in the list...
if [ -z "$PRE" ]; then
## And it occurs greater than or equal to $MAX_TRY times...
if [ "$COUNT" -ge "$MAX_TRY" ]; then
## We drop it into the block list...
echo $IPADDR >> $BLOCKLIST
## Email ourselves...
echo "$IPADDR ($COUNT failures) is being added to the list" |
mail $EMAIL -s "New Blocked IP - $IPADDR"
## And make a log entry.
logger "$IPADDR ($COUNT failures) added to the block list"
fi
fi
done
########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done
///////// just tar it up and send me your /Scripts dirctory 
........ i'd be mia for weeks 
