Luckily I use SSH on such a small network that the authlog messages aren't too annoying, but FWIW it's fairly easy with pf to block traffic from hosts that complete too many TCP handshakes on port 22 in too short a window of time.
With these lines in pf.conf, if a host connects over port 22 more than three times in ten seconds they're added to the brutes table and any existing states involving that host are removed:
Code:
table <brutes> persist
block quick from <brutes>
pass in on egress inet proto tcp from any to (egress) port 22 keep state (max-src-conn-rate 3/10, overload <brutes> flush global)
Edit:
relevant section of pf.conf man page