So the solution also become script running every 10 minutes:
Code:
cat /var/log/authlog | grep "sshd" | grep -i "failed" | rev | cut -d\ -f 4 | grep '[.]' | rev | sort | uniq -c | awk '{ if ($1 >= 10) print $2}' > /etc/ssh_block
and in pf is checking this file...pf.conf:
Code:
table <ssh_block> persist file "/etc/ssh_block"
block drop in from <ssh_block> to any
The authlog is rotated weekly, so this makes that every ip that makes 10 or more failed ssh logins during a week is blocked.