I use something like this (play around with it to do what you need it to do):
Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do pfctl -t bruteforce -T add $i; done
There are many ways. I don't do this in real-time or in cron so I don't care about where I left off in the log, for example.
I also have a safe table in pf that matches my home IP before blocking on the bruteforce table so I can't lock myself out by accident. I did it once. That was enough. I only do that because it's a remote server.