# Make table to keep track of IP's of SSH brute forcers:table <bruteforce> pers

1. # Make table to keep track of IP's of SSH brute forcers:
2. table <bruteforce> persist
3.  
4. # Make sure they are unable to connect to the system after being appended to table:
5. block quick from <bruteforce>
6.  
7. # The rule how one is appended to the table..
8. # By connecting with more then 5 clients to the SSH port
9. # and try reconnect 5 times within 30 secs, append client machine to the table:
10. pass inet proto tcp from any to any port ssh \
11. flags S/SA keep state \
12. (max-src-conn 5, max-src-conn-rate 5/30, \
13. overload <bruteforce> flush global)