The intrusion detection script resembles this:

#!/bin/bash
#Filename: intruder_detect.sh
#Description: Intruder reporting tool with auth.log input
AUTHLOG=/var/log/auth.log

if [[ -n $1 ]];
then
  AUTHLOG=$1
  echo Using Log file : $AUTHLOG
fi

# Collect the failed login attempts
LOG=/tmp/failed.$$.log
grep "Failed pass" $AUTHLOG > $LOG

# extract the users who failed
users=$(cat $LOG | awk '{ print $(NF-5) }' | sort | uniq)

# extract the IP Addresses of failed attempts
ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $LOG | sort | uniq)"


printf "%-10s|%-3s|%-16s|%-33s|%s\n" "User" "Attempts" "IP address" \       
    "Host" "Time range"

# Loop through IPs and Users who failed.

for ip in $ip_list;
do
  for user in $users;
    do
    # Count attempts by this user from this IP

    attempts=`grep $ip $LOG | grep " $user " | wc -l`

    if [ $attempts -ne 0 ] 
    then
      first_time=`grep $ip $LOG | grep " $user " | head -1 | cut -c-16`
      time="$first_time"
      if [ $attempts -gt 1 ] 
      then
        last_time=`grep $ip $LOG | grep " $user " | tail -1 | cut -c-16`
        time="$first_time -> $last_time"
      fi
      HOST=$(host $ip 8.8.8.8 | tail -1 | awk '{ print $NF }' )
      printf "%-10s|%-3s|%-16s|%-33s|%-s\n" "$user" "$attempts" "$ip"\     
          "$HOST" "$time";
    fi
  done
done

rm $LOG

The output resembles the following:

Using Log file : secure
User |Attempts|IP address|Host        |Time range
pi   |1  |10.251.90.93   |3(NXDOMAIN) |Jan  2 03:50:24 
root |1  |10.56.180.82   |2(SERVFAIL) |Dec 26 04:31:29 
root |6  |10.80.142.25   |example.com |Dec 19 07:46:49  -> Dec 19 07:47:38