I have my server open to SSH connections. I need a script that will email me if the root password was incorrectly entered 5 times. Anyone have any ideas?

part of setting up tcp wrappers is to dis-allow root access via ssh...........just make sure that your root password cannot be guessed or brute forced.......( it would take JTR 500+ years to guess my root pass........LOL)

script kiddie crackers can use proxies and spoof UDP packets to hide their IP .......so having an alert setup would do no good anyways........

I'm not concerned who is guessing at it, just that it is trying to be guessed. Maybe SSH could be locked out after the 5th try at root pw. I want to access root from SSH because I want to do admin things on the server from abroad.

Then disallow login as root. And configure the su command to be used only from another account you create yourself just to login and su to root from there.
Allowing directly root login as bad, because the crackers already know the username. The way I'm suggesting you, they will have to know the username you are allowing to su, so they may enter in another account, but they won't still be able to su from there.

Ah, good point. Thanks!

You're welcome

Forgot to say that you also should change your SSH port to something else, that will prevent 99% of the attacks, since they're most directed to port 22.

There are also some utilities that will block IPs if they fail to login on SSH on X tries, like: http://www.csc.liv.ac.uk/~greg/sshdfilter/

Just to follow-up on various very good suggestions, the best of them being definitely to disallow root login, I have included below what I've done to secure sshd:

1. On my gateway running NAT I have mapped a non-standard port to be forwarded to my server's ssh port, so that the normal script-kiddies don't get a hit on port 22 off the bat

2. On my server (running ssh) I have included the following statement in iptables to limit ssh to allow only one new ssh connection each 30 seconds :

3. In /etc/ssh/sshd_config I have made a number of changes

Protocol 2 # Changed from Protocol 2,1 - allow only ssh v2 - more secure
PermitRootLogin No #NEVER EVER login as root - as addressed by previous thread writers
MaxAuthTries 2 #Changed from default 5
AllowUsers nnnn # Only one username which is un-guessable (and has STRONG password)
IgnoreRHosts Yes
PermitEmptyPasswords No

4. Check your /var/log/messages frequently

and if you're very security conscious:

5. Install a port-blocker that reads your logs and automagically reprograms iptables to lock-out the offending addresses if someone try to break in.
See http://daemonshield.sourceforge.net/ or http://www.simonzone.com/software/guarddog/ for examples, though there are many more programs available too.

-Y1