I have sshd set to drop after 2 failed attempts. I have blockhosts set for a trigger of 5. Now, with the script running for each connection (and no lag seems to be caused by this setup), why do ssh attacks still go into the 100's? The sshd daemon is linked with libwrap, so I know that's not the problem. Help? Perhaps I just need to modify the script so it's run as a daemon, too? Have it sit there and process log entries as they are made? Seems that would add a bit of overhead, but would that be the only way to block these attacks in under 100 attempts?