First off, very nicely done. Love the breakdown and that IPTables loop script is awesomely useful too.
Don't they often spoof IPs so banning that stops them right now, but they're back in an hour on another IP?
Also, using the auth log, is that a guarantee these are all attacks, or is it possible some were "good guys"? [just playing devil's advocate here]
Gonna do something like this on my servers, see what I get out of it :)
I was just thinking this. They could definitely use a VPN or some other proxy to mask their IP address.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.