Block SSH access from specific countries

You need the equivalent to this in your distro:

$ apt-cache show xtables-addons-common
Package: xtables-addons-common
Description-en: Extensions targets and matches for iptables [tools, libs]
 Xtables-addons provides extra modules for iptables not present in the
 kernel, and is the successor of patch-o-matic.
 Extensions includes new targets like TEE, TARPIT, CHAOS, or modules like
 geoip and account.

You are interested in the geoip module. Then add some rules to your iptables.

Check the 4th point in the HOWTO.

A simple walkthrough the example rules:

# iptables -A INPUT -m geoip --src-cc A1,A2 -j DROP

The above command adds a rule in the INPUT chain that uses the geoip module to match connections originating from a specific country, identified by its ISO 3661 code. In this case, A1 and A2 represent:

 A1 => "Anonymous Proxy" ,
 A2 => "Satellite Provider" ,

This command uses the negation (!) to invert the match, resulting in all traffic not originating from the specified country (CA, in this case) being dropped:

# iptables -A INPUT -m geoip ! --src-cc CA -j DROP

The last example shows you how create a custom chain in order to analyze traffic to your sshd server:

# iptables -N SSH_GEOIP
# iptables -A SSH_GEOIP -m geoip --src-cc CA
# iptables -A SSH_GEOIP -m geoip --src-cc DE
# iptables -A SSH_GEOIP -m geoip --src-cc US
# iptables -A SSH_GEOIP -m geoip --src-cc JP
# iptables -A SSH_GEOIP -m geoip --src-cc FR
# iptables -A SSH_GEOIP -m geoip ! --src-cc CA,DE,US,JP,FR
# iptables -A INPUT -p tcp --dport 22 -j SSH_GEOIP 

As an alternative, you could filter any ssh traffic by using the hosts.deny file and then allow traffic from selected countries specifically by querying a shell script in the hosts.allow file. See this tutorial: https://www.axllent.org/docs/view/ssh-geoip/