I have the current solution, fail2ban and forbid SSH as root in the sshd configs. Its not as effective as I need in certain situations. Most particularly in gateway servers, that have limited memory and disk space (because they are supposed to be lightweight)

Disabling login as root in the sshd configs, still permits the bots to connect, specify login as root, and try 3+ times. Fail2ban then blocks their IPs after 5 failures.

However, the incessant volume of bots then leaves 8 sshd threads in memory at any time, 3GB auth.log of failures (30% of my disk space), huge memory overheads for fail2ban to filter and process them all, and slow response when we attempt to login because there are 50,000+ ip blocks each connection must be filtered through first, and 20-48MB of memory used for loggin and security are on swap because of the system demands to handle the volume of requests.

The preferable solution is: "When an SSH connection attempts to login and user=root" then "sshd disconnect". Any attempt to specify the user root results in dropping the connection.

This would reduce the unnecessary processing to filter all the brute force attacks out. I cannot use keys-only access because it causes the login to by-pass the required 2 factor authentication.