If you’re looking to actually do Fail2ban, look into crowdsec first. It’s a similar concept but instead of creating your own block lists by people hammering against your system until they’re banned, it uses community-populated lists to pre-ban known bad actors.

I know a lot of people shit on it from a decentralization perspective, but I use Cloudflare to expose all my services. Then anyone who hits my sites has to go through Cloudflare’s detections first. I have all my services behind a reverse proxy (nginx proxy manager) running locally, and that’s the only though exposed to the Internet through my router, also that ONLY allows connections at all from Cloudflare IPs or my local network. My home IP is obfuscated, my services can only be accessed using the ports I define, and things are happy. I also block as much as possible on my router, and have automatic updates on all my server VMs/LXCs.

You could also set up a Cloudflare tunnel to go to the reverse proxy and avoid needing to expose anything to the direct Internet.

Just turn off caching for any media servers domains/subdomains if you go with Cloudflare, or else it will try to cache any media on their servers and it’s technically a ToS violation so people get their accounts banned. It’s a simple setup to disable cache though.