fail2ban is fine for a small VPS, but it is very slow, less necessary for key based authentication (passwords shouldn't be used, unless absolutely required) and shouldn't be used on high load systems, with that said, I've seen guides on its rewrites, which were able to handle gigabits per second. ufw can be replaced with a very simple iptables/ip6tables script, if you don't have complex routing. Not a single daemon required. Beware of things like Docker overriding them though. unattended-upgrade is often leaking memory all over the place, I use regular manual updates instead.