Well, if you have a logwatching tool (see www.loganalysis.org) it is
relatively trivial to set up my program, dfd_keeper, to block the bad
guys after you detect a brute-force attempt.

The default script (keeper_example.py) has a "block" command already,
and you would invoke it like so:

in rc.local:
/etc/keeper_example.py &

when you detect that $IP_HERE is attempting to brute-force ssh:
(echo "block $IP_HERE"; echo quit) | nc localhost 8007

Probably the quit is not even necessary.

You will undoubtedly want to customize keeper_example.py for your installat=
ion.
If you with to play around with it w/o affecting pf, then pass it
--test on the command line.
Do not be intimidated by the python; it is very simple to understand
(easier than shell scripts I'd say, albeit less familiar).

Feel free to email me if you have any questions.
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B