reading Bryan de Boyle's message: it is very useful to implement a
mechanism where users get regularly (every two weeks, every month) a
summary of failed login attempts to their account(s).
When I see one like this I know when I mistyped my pws, and failed
logins on days I did not log in will stick out.
How: awk and mail, con'd. If you run already SecurID, I think it
comes with the system.
This does not show a ongoing attack, but it can alert that something
is going on. Run this on the firewall host where everybody must log
in, get a report of it too. These things can be deleted immediately
since they only cover the past so that you firewallers would not
use up the firewall disk.
(all opinions are my own and not necessarily understood by my employer)