Waf is the way to go I think. Fail2ban has had it’s own issues over the years, and if you use keys then you can forget about the constant SSH attempts. The ‘AllowUsers’ option in your SSH config is a good place to start too.

I just find all of these “lock down port 22” posts to be so noobish. Declarative waf is the way to go

Edit: Red Hat Identity Management (IdM) + Hashicorp Vault if you really care about SSH. Rotate your keys and create new users automatically