You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz for successful and unsuccessful logins and then add the unsuccessful logins with pfctl to a blocked table. To have it permanent after a reboot you can write with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.
Like table <bruteforce> persist file "/etc/pf.bruteforce" block in quick proto tcp from <bruteforce> to any Stefan  ________________________________________ Van: owner-m...@openbsd.org <owner-m...@openbsd.org> namens Luke Small <lukensm...@gmail.com> Verzonden: zaterdag 5 mei 2018 00:16 Aan: openbsd-misc Onderwerp: Can SSH report successful connections to pf? Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?