Ok, I know there are several applications out there that watch for port 
scanning and the like, so maybe one of those can help out with this.  

One of the servers I maintain is a vairly high traffic web server. As a 
result, there are tons of "break-in" attempts.  These are hardly anything 
to be too worried about, but the security log tells me about them, mostly 
people trying to anonymous ftp in, or trying to ssh in as user anonymous 
(I dont even know WHY anyone would have that user a system user in the 
first place).  Is there some way I can get an "instant" notification via 
email when someone trys to log in via ssh/ftp/etc (that logs to the 
security log) that ISNT annonymous? For example, the other day, 2 IP's (in 
the same subnet, so presumebly the same person) tryed to FTP and ssh in 
close to 100 times with various user-names.  None of the usernames were 
correct, and even if the person did have one, we have a strong password 
rule and time delays on failed logins for everything, so it should take a 
few years before he gets close- but it would be nice to know the instant 
something like that happens so we can report it to the ISP faster, or take 
appropriate actions (like shutting down the service/blocking the IP if 
need be).

Any other tools/practices that you would recomend for this sort of senerio 
would also help, as this is not to uncommon of an occurance anymore. And 
before everyone yells to get off FTP and use SCP- that isnt an option.  
But users who have FTP access dont have accounts, and those with accounts 
dont use FTP, so it should be fine.


Jay
-- 
Jay Kline
list at slushpupie.com
http://www.slushpupie.com