The parent suggestion of just running git over SSH has a small attack surface, its not like HTTP accepting anyone through the front door. Set `PasswordAuthentication no` in `/etc/ssh/sshd_config` and I don't think you even need fail2ban. But you could put a rate limit on new connections to port 22, or leave the fail2ban setup as an additional guard, and of course you want to block all the other ports you don't need.