#!/bin/sh

while read m d h H tag msg; do
case $tag in
*sshd*)
	case "$msg" in
	*Did\ not\ receive\ identification\ string*|*Failed\ password\ for*|*Illegal\ user*|*Invalid\ user*|*Postponed\ keyboard-interactive*)
		set -- $msg
		while [ $# -ne 0 ]; do
			if [ $1 = "from" ]; then
				ip=$2
				lockf -k /tmp/lockout.ssh.$ip echo $ip >> /tmp/lockout.ssh.$ip
				num=$(wc -l /tmp/lockout.ssh.$ip | awk '{ print $1 }')
				if [ $num -ge 10 ]; then	
					pfctl -t sshbf -T add $ip
					lockf /tmp/lockout.ssh.$ip :> /tmp/lockout.ssh.$ip
					echo "pfctl -t sshbf -T delete $ip 2>/dev/null" | at now + 1 day
				fi
				break
			fi
			shift
		done
	;;
	esac
;;
*postfix/smtpd*)
	case "$msg" in
	*lost\ connection\ after\ AUTH*)
	set -- $msg
	while [ $# -ne 0 ]; do
		if [ "$1" = "from" ]; then
			ip=${2#*\[}
			ip=${ip%]*}
			lockf -k /tmp/lockout.postfix.$ip echo $ip >> /tmp/lockout.postfix.$ip
			num=$(wc -l /tmp/lockout.postfix.$ip | awk '{ print $1 }')
			if [ $num -ge 10 ]; then	
				pfctl -t sshbf -T add $ip
				lockf /tmp/lockout.postfix.$ip :> /tmp/lockout.postfix.$ip
				echo "pfctl -t sshbf -T delete $ip 2>/dev/null" | at now + 1 day
			fi
			break
		fi
		shift
	done
	;;
	esac
;;
*) ;;
esac
done