Filterling was written to combat the spammers and increasingly prevalent ssh brute force attacks.
It watches any number of logs for any number of regular expression matches. Once a configurable threshold is reached, a user defined action occurs, like inserting a filter with pf/iptables. After a specified amount of time has passed, the filter entry can be removed or some other user defined action can be performed.
You can whitelist IPs, and configure any shell command to execute instead of a filter insert/delete.
There is a pretty web interface (in ruby) that shows all the IPs currently blocked, their country of origin, and their country flag. You can click on the entry to get a full whois lookup.
I wrote this in a weekend, and updated the web stuff another day. It's a little rough, but has been running great for over a year for me on three boxes.
