Ok. I'm slow enough writing that others have started to answer also...

Vikas N Kumar wrote:
quoted text
> ... I have set maximum number
> of tries to just 2, I would like to be able to note down the IP address
> (after say 10 unsuccessful login attempts) from where the attacks are coming
> in and then dynamically add them to hosts.deny for the next few days or
> permanently...

Working with hosts.deny is not a pf feature, but it might be glued
together.

Curt Micol wrote:
quoted text
> I think this is what you want:
> http://home.nuug.no/~peter/pf/en/bruteforce.html

As Curt just answered, PF tables are an option.  See also
	http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I am getting good mileage out of "The Book of PF", and tables are
covered there pp 67-71 and pp 31-32.  Maybe using PF's tables is enough
for you.

There are at least four pieces that might be useful if you really want a
script to add to hosts.deny.
	1) pf.conf
	2) pfctl
	3) sshd_config
	4) /var/log/authlog

Henri Salo wrote:
quoted text
> There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce
> logging and blocking". You should read it.

Basically, you can have the blocked addresses exported from the PF
table.  From there they can be imported via a script into hosts.deny or
anywhere else you might want.  The tool for that is pfctl with the "-t"
and "-T show" options:
	http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl

However, PF only logs the connections attempts.  The sshd_config keyword
"MaxAuthTries" will specifically log failed attempts to log in, per
connection, if they exceed 1/2 the maximum number of tries for that
connection.
	http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
However, if each attempt is on a new connection, then that's not
necessarily a help for you.

The failed attempts will also show up in /var/log/authlog, regardless.

e.g.	Apr 16 17:13:27 +gateway sshd[12708]: Failed password
	for root from 218.106.52.91 port 58224 ssh2

And that can be parsed for addresses.

Regards,
-Lars