Instead of fail2ban, you could access OSMC using SSH but in your router don’t forward the common 22 port but for example port 9382 (randomly chosen) to the internal 22.
And then use SSH tunneling to access any other service running on your OSMC device: