Turning Away The Brutes (cont'd)

Tighten a bit for ssh, differentiate:

/etc/pf.conf

table <bruteforce> persist

block quick from <bruteforce>

# tighter for ssh
pass quick proto tcp to port ssh \
        keep state (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)

pass inet proto tcp to $int_if:network port $tcp_services \
        keep state (max-src-conn 100, max-src-conn-rate 15/5, \
         overload <bruteforce> flush global)

Note: this does not stop the slow brutes aka The Hail Mary Cloud,which likely was (or is) a deliberate attempt at avoiding this kind of measure (use keys-only auth!)