I know it’s SFTP but still, can’t you autoblock an IP after X number of failed attempts? You wouldn’t necessarily slow throughput if you limited the filter to authentication. Once a channel was established, pass through the filter without incident.
If I owned the Firewalls, yes I could. Unfortunately the people who own/run/manage them don't report to me. Yet.
Once they do, then it's a whole new ballgame and a bunch of them are going to find themselves on the street.