Adaptive Firewall and ssh dictionary attacks
I set up the Adaptive Firewall. See http://support.apple.com/kb/TS4418 and http://support.apple.com/kb/ht5519.
Then I copied from /Application/Server.app/Contents/ServerRoot/private/etc/emond.d/ the files AdaptiveFirewall.plist and HostBlockingLogic.plist to the directory /etc/emond.d/rules/. I changed in /etc/emond.d/rules/AdaptiveFirewall.plist the values for hostBlockTheshold to 5 (block after 5 failed attempts) and the hostMinBlockTime to 10 (block 10 minutes). Rebooted.
I tested this config with (false) ssh and imap logins. emond is blocking the remote IP. But emond blocks the IP only, if I use 5 times the same login name. I see in the syslog dictionary attacks (different login names), these IPs aren't blocked!
How do I block these IPs?
Mac Pro, OS X Server