Hot take: pf's built-in connection tracking beats fail2ban/sshguard hands down.
One simple ruleset gives you automatic brute-force protection with ZERO userland daemons. No log parsing, no reaction delays, no additional attack surface.
table <bruteforce> persist
pass in proto tcp to port 22 flags S/SA (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global)
Kernel-level enforcement, instant blocking, survives reboots with persist.
Why spawn Python processes when your firewall already knows?