Some thoughts on OpenSSH 9.8's PerSourcePenalties ...

[mscdex]

I think it goes without saying that you would still want to be using keys instead of passwords for the actual authentication. Port knocking should always be an additional layer, not a replacement layer.