pf Alone is Enough for SSH Defense

I have been using Fail2ban for a long time to prevent SSH brute force, but I realized that it was actually unnecessary on the FreeBSD FW server. Write the following in /etc/pf.conf.

# ext_ifは外向きのネットワーク
# firewall_hostは自分自身
pass in on $ext_if inet proto tcp to $firewall_host port 22 flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 5/30, \
  overload <ratelimit> flush global)

# ext_ifは外向きのネットワーク
# firewall_hostは自分自身
pass in on $ext_if inet proto tcp to $firewall_host port 22 flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 5/30, \
  overload <ratelimit> flush global)

max-src-conn 5→Up to 5 connections can be made from the same IP at the same time
max-src-conn-rate 5/30→Up to 5 new connections can be made in 30 seconds

This setting allows you to automatically block more than 5 connection attempts within 30 seconds and limit the number of simultaneous connections to 5.

Fail2ban was a resident process and was consuming a lot of resources, so I decided that it should be deleted if it is unnecessary.

Fail2ban is required when advanced access control is required, such as making decisions based on log contents (number of password failures, invalid user names, etc.), integrated management of multiple services (SSH/HTTP/email, etc.), and cooperation with mod_security. In fact, my web server uses Fail2ban in combination with mod_security, which is a defense that pf alone cannot provide.
On the other hand, for simple FW server SSH access control, pf rate limiting and geographic blocking are sufficient.

I would appreciate it if you could refer to the following article regarding geographical blocks.

Systems should be kept simple. By removing unnecessary Fail2bans, it has become easier to manage.

As a side note, if you want to periodically clear the ratelimit table, configure the following in cron (unblock IPs that were blocked more than a day ago):

0 * * * * /sbin/pfctl -t ratelimit -T expire 86400

0 * * * * /sbin/pfctl -t ratelimit -T expire 86400

End