2010-05-26, 08:19 PM
F2B really needs installing on the box that contains the logfiles, so the server (rather than the router) will do, since it monitors the logfiles continuously and takes action when a trigger condition is met.
In terms of protection: you can add it to live services (think SSHd,FTP,POP3) so that it will take action after (for instance) three consecutive failures within 10 seconds. I have it running against my default virtual host so that even though sniffers don't get anywhere, their activity is still logged and reported (I forward reports to the IP owner) and have alerted several people of compromised/trojaned servers on their network. It won't stamp out cracker activity totally, but the more I can erode the list of compromised servers, the faster the spam problem will begin to die out.
I wrote an article on the configuration and usage of F2B on my blog - check it for more details.