fail2ban for NetBSD-based routers & networks

[Erik Fair <fair%netbsd.org@localhost>]

I use NetBSD as a router for my public IP network. It works pretty well, but 
I'm getting really tired of the door-knob turners who keep trying accounts & 
passwords on ssh, IMAP, etc. I would like to shut them out of the network as a 
a whole at my router efficiently.

I can't do much about UDP attacks on DNS - those may or may not have a valid 
source IP address, so it would be foolish to trust that enough to use it as 
filtering source data. However, any TCP based attack has to be two-way, so 
that's worth banning.

Does anyone have a fail2ban equivalent for NetBSD that has: 

authentication of the sources of the filtered addresses (by that I mean, any 
one of N authenticated hosts may contribute an address to the filter, but no 
one gets to lie to it - yes, I recognize that this means it must operate under 
one administrative authority),

aging management of the blacklist, i.e. addresses age out, but if they come 
back, the age-out period goes up either geometrically or exponentially, and

the blacklist is persistent across router reboots, e.g. a database in /var/db 
exists which an rc script will load into the operational blacklist at boot.

Clearly, such a daemon/service has to use one of the filtering mechanisms 
available in NetBSD, e.g. ipf, pf; it would be helpful to know which of those 
have been exercised enough to be trusted with a potentially high rate of 
table/filter change without crashing the kernel.

        thanks,

        Erik <fair%netbsd.org@localhost>