You don't necessarily have to use SSH and the easyrule block. It's just one possibility. You could always take fail2ban, add a custom action and use it to push the IPs that try to hit your webservers to a central instance/vm/whatever and collect it there. Then use pfBlockerNG to fetch this list of IPs and block it from WAN. Only "problem" is, that pfBNG isn't faster than "hourly", a thing that I tried to bring to the developers attention so that you had the possibility to go down to let's say 5-10min to blacklist an IP. But besides that, that's totally possible (we're running something along those lines ourselves).