Oddly enough I did have both pf and ossec, a brute-force log analyser running but clearly this time the attack was larger than previous ones. Here's the pf rule i had, perhaps it was too lenient;
Code:
pass in log on $ext_if proto tcp from any to any port 22 keep state (source-track rule, max-src-states 40, max-src-conn 15, max-src-conn-rate 15/60)