Ok, I know there are several applications out there that watch for port scanning and the like, so maybe one of those can help out with this. One of the servers I maintain is a vairly high traffic web server. As a result, there are tons of "break-in" attempts. These are hardly anything to be too worried about, but the security log tells me about them, mostly people trying to anonymous ftp in, or trying to ssh in as user anonymous (I dont even know WHY anyone would have that user a system user in the first place). Is there some way I can get an "instant" notification via email when someone trys to log in via ssh/ftp/etc (that logs to the security log) that ISNT annonymous? For example, the other day, 2 IP's (in the same subnet, so presumebly the same person) tryed to FTP and ssh in close to 100 times with various user-names. None of the usernames were correct, and even if the person did have one, we have a strong password rule and time delays on failed logins for everything, so it should take a few years before he gets close- but it would be nice to know the instant something like that happens so we can report it to the ISP faster, or take appropriate actions (like shutting down the service/blocking the IP if need be). Any other tools/practices that you would recomend for this sort of senerio would also help, as this is not to uncommon of an occurance anymore. And before everyone yells to get off FTP and use SCP- that isnt an option. But users who have FTP access dont have accounts, and those with accounts dont use FTP, so it should be fine. Jay -- Jay Kline list at slushpupie.com http://www.slushpupie.com