The last couple of days a lot of malicious servers got caught by my Ossec HIDS/IPS and have been send to my iptables jail. However, I’ve been seeing one host (220.127.116.11) evading my traps for days. It has been nocking on my door in a slow pace, slow enough not to trigger a brute force detection (causing six events in a small period of time).
So I changed the brute force detection window to 86400 seconds, to see if that helps.
He got caught and went to jail 🙂