Lookup fail2ban. Nifty solution for exactly what you want to do.

Here's a bash script I like to use to parse my auth.logs for attacks.

Code:
#!/bin/bash

printf "Username stats:\n"
grep "invalid user" /var/log/auth.log* | awk '{print $11}' | sort | uniq -c | sort -r
printf "\nIP stats:\n"
grep "invalid user" /var/log/auth.log* | awk '{print $13}' | sort | uniq -c | sort -r