using pf to block multiple connections in a given time

[John]

Hello list

I've taken normal steps to secure ssh (via key only) but, because it
is still on the normal port (22), I keep seeing attempts like this in my
auth log:

Feb 16 04:36:13 shell sshd[28127]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:17 shell sshd[8049]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:21 shell sshd[13624]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:25 shell sshd[3646]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:29 shell sshd[9792]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:33 shell sshd[18690]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:37 shell sshd[24858]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:41 shell sshd[17393]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:45 shell sshd[27239]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:49 shell sshd[30452]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:53 shell sshd[23253]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:57 shell sshd[14086]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:02 shell sshd[7236]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:06 shell sshd[26969]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:09 shell sshd[30074]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:13 shell sshd[26513]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:17 shell sshd[10258]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:21 shell sshd[23409]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:25 shell sshd[28264]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:37:29 shell sshd[5110]: Received disconnect from
218.108.234.158: 11: Bye Bye

This is every couple of seconds as you can see. What i'd like is to
allow max 2 failures from one IP in 30 seconds, if more than that write
to /etc/shitlist.txt which, if the connecting IP is found in there, logs
and silently drops the connection. Can pf do this?

I kind of think it would be an admission of failure to move sshd to a
non-standard port because of these idiots.
-- 
John