This is my /etc/rc.d/rc.firewall i use this to block brute force ssh logins
The xxx.xxx.xxx.xxx is where you put a remote ip you want to always accept. you can keep adding ips if needed.
These tables will also drop localhost connection if the ip isnt set in xxx.xxx.xxxx.xxx
Code:
iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j LOG --log-level info --log-prefix "SSH SCAN blocked: "
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP
After 3 bad login attempts, there connection is dropped for 5 minutes.
Each time they try and login after the connection has been dropped keeps reseting the timer to 5 minutes.
This is a script i found and been using for awhile now.
I know i didnt realy answer your question but just showing you another way of going about what your after.