I get some bozo regularily trying to br ute fo rce pas sword cra ck the server via ssh.

auth_log is only logging the proxy server he is using. Is it possible to log his x_forwarded_for IP?

I used to get attacks on my pas sword protected members area. What I have done there is to set apache to custom level to record the x_forwarded_for ip. Some proxy servers leak the x_forwarded for IP and thus I can report him directly to his ISP.

But auth_log doesn't show this information. Can it?

---

I have snort installed and running but I don't know how to use it effectively. Is it possible to get snort to action on these attempts?