The issue is that a SSH login attempt was even possible on the WAN interface, 22 is not supposed to be able accessible on the WAN because it is not open on the firewall. Password is 25 characters, randomly generated from KeePass. Anyhow, I removed login for root and setup the Ubuntu approach with a sudo user.
I had literally 5 non terminal login attempts to root, "Authentication failure for root via sshd from 184.108.40.206 ssh:notty", before Fail2ban did it's job and blocked the IP. I am aware that this is common if the ssh server is exposed to the internet but ssh access is supposed to only be available to my internal network, I VPN into the network if I need to do anything via ssh. I also don't have thousands log entries for failed root login attempts so it doesn't indicate that I have a config error but you never know.
Can anyone possibly shed some light on how/why this would happen?