[SGVLUG] Who is that knocking on my ports?

[Emerson, Tom (*IC)]

Those of you who run servers have probably seen this in their logs --
"failed password for illegal user ... From <some.ip.address> port ...
Ssh[2]", repeated in stretches, with user names ranging from "admin" to
"zimbra", all from the same IP address -- an obvious "break-in" attempt
[using brute force / sheer luck / whatever]

I'd like to develop a script [or perhaps someone has already] to do the
following 

   1) identify the ISP or suitable "owner" of the netblock containing
the IP address
   2) for "well known" ISP's, look up their security or "abuse" e-mail
addresses
   3) generate, in real time, an e-mail report of the breakin attempt --
one e-mail per attempt :)

Yes, I intend to "spam" the ISP about what their user(s) are doing.

Of course, I'd want to have a threshold before this triggers -- I might
be "in the field" and mistype my own login [it happens...] and/or for
the general case of one or two attempts, sort of like "getting a phone
trace", if the attack stops before my system can report it, there might
not be too much the ISP can do about it at that particular moment.

I expect responses from the ISPs along these lines

  1) nothing
  2) canned "thank you" [perhaps even one-per-message I sent originally,
reverse spam...]
  3) WTF?  [and/or variations on "hey, you're spamming US"]
  4) thanks, caught him in the act! [ok, maybe I don't /really/ expect
this one all that often...]
  5) hmm, nice monitoring script you've got there, but seriously, if
there is an "attack in progress", just one message would do [hey, I can
dream, can't I?]

[this might even make a nice "project" for the devsig to tackle...]

Thoughts?