I take a different approach than fail2ban. My sftp servers use a standard port 22 and any time people try to log in, I create an account for them automatically via a cron job in the sftp-only group and a null password. The bots will spend years trying to log in repeatedly every few minutes. I have yet to see them upload anything interesting. Many years ago, bots would upload malware, then try to browse to it on port 80. But no more... These bots just want to get a shell and install malware / c&c tools. Some of them try port forwarding, but I have that restricted for the sftp users.