SSHguard is the fail2ban in the OpenBSD world

https://www.sshguard.net/

sshguard

On Linux hosts I use Fail2ban, but for OpenBSD, I use sshguard due to limitations regarding the compatibility. sshguard will at least slow down those password brute-force attempts, which appear too often from one single IPv4 or IPv6 endpoint.

Now, obviously we should be able to limit SSH access to important systems by enforcing key-based authentication and / or Multi-Factor Authentication (MFA) based on TOTP (Time-based OneTime Pad) for example. MFA authentication for OpenSSH on OpenBSD doesn’t seem to be a viable option today, though.

fail2ban