just a minor variation (in B dur) for what the others had said: relevant parts of /etc/pf.conf:
SSH_LIMIT="(max-src-conn-rate 3/30, overload <bad_ssh> flush global)" table <bad_ssh> persist block return-rst log quick proto tcp from <bad_ssh> label "ssh-pirate" block in pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state $SSH_LIMIT label "ssh" kripel> cat /etc/daily.local #!/bin/sh echo "flushing bad_ssh: " pfctl -t bad_ssh -T show pfctl -t bad_ssh -T flush yes, i know, i am forgiving, i flush the table everyday.. but you get the idea. you can play with this as much as you like. even make statistics, draw graphs, etc ;-) corporate drones like that ;-) show them how much they need openbsd -f -- drinking kills brain cells, but just the weak ones...