Lookup fail2ban. Nifty solution for exactly what you want to do.
Here's a bash script I like to use to parse my auth.logs for attacks.
Code:#!/bin/bash printf "Username stats:\n" grep "invalid user" /var/log/auth.log* | awk '{print $11}' | sort | uniq -c | sort -r printf "\nIP stats:\n" grep "invalid user" /var/log/auth.log* | awk '{print $13}' | sort | uniq -c | sort -r