What if you could set up a pf rule to: overload an ip address into a table if they tried to access the wrong port on an address and overload flush global immediately into a blocklist
( max-src-states 0)! or with max-src-conn-rate 2/60 when sshd behaves in such a manner as to confirm that a successful connection has taken place, that max-src-conn-rate gets reset for that connection so that you could log in and log out faster than twice in a minute without getting put on a blocklist!