Setup sshguard and pf to block brute-forcers

sshguard is much more reliable and easier to setup than python-based fail2ban. The manpage is very helpful guiding you through setup: man 7 sshguard-setup.

$ pkg install sshguard
$ vim /usr/local/etc/sshguard.conf   # conf file is self-explaining

$ cat >> /etc/pf.conf
    table <sshguard> persist
    block in proto tcp from <sshguard>

$ cat >> /etc/rc.conf
    sshguard_enable="YES"

$ service pf restart
$ service sshguard restart

$ pfctl -t sshguard -T show     # show sshguard table content
$ pfctl -vvsTables              # show all pf tables
$ grep sshguard /var/log/auth   # show sshguard blocking IPs in action