Depends on. Usually this is controversal.
BSD family has a blacklistd
, which is perfect for filtering bruteforcers/scanners on an application layer. Linuxes are arrogant so they only have a peculiar python framework fail2ban, which, in my opinion, should've been rejected during alfatest, and not allowed to enter any production-level installation.
On the other hand, if you don't allow root to login via ssh (which is a usual security choice), then you have additional bruteforce barrier (once again, several Linux distribution insist that root should be able to log in via SSH).
Still controversal. Some engineers prefer to bind sshd to some other port than traditional tcp/22, some will allow ssh only via VPNs (see, this tells us something about fail2ban already). That's kind of a personal choice. I myself don't close the tcp/22 on my servers, but I use the password policies and don't allow root to log in via SSH. Some may say that I'm walking on the edge. I say - using ssh on a tcp/2202 is a self-torturing.