I have found that dynamic IP blocking programs such as sshguard or
fail2ban
are a CPU burden since that table needs to be refreshed as new IPs are
added
or removed so I have stopped using them.
Have you seen ipset?
https://ipset.netfilter.org/
It is built for dynamically adding/remove IP's from a firewall without
changing a table or rules or reloading the firewall. It holds a hashmap
in memory of what IP's to block and integrates into the kernel. However
you have to build your own mouse trap to use it. I don't know of
anything out of the box that would automatically add IP's to it, i wrote
my own script that gets fed log lines from rsyslog to do it.
