fail2ban

If the IP is often seen on the Internet, close unused ports, or open a VPN. About fail2ban - garbage, if you have authorization by public / private key, this is already 99.9% secure.

Disable password login or use a very complex password. Put fail2ban/ If the paranoia has not let go yet, then change the port number.
This is more than enough.

Is this a vulnerability?

These are open ports of services :D
22 - ssh. It's safe if you enter using the keys
80 - http - here is the site itself :) Site security is a separate issue
110 - pop3 - local mail delivery protocol. Deprecated. If not needed, disable
143 - imap - mail local delivery protocol. In addition to the site, do you also have mail here?
443 - https - secure part of the site
993 - imap over ssl. imap over self-opened SSL. I don't think you really need
995 - pop3 over ssl. pop3 over self-opened SSL. Definitely not needed

You need network services (obviously, ssh, web and mail), so there will be open ports anyway. You can change them to non-standard ones, but the benefits of this are a little more than zero: scanning open ports on the interface takes a few seconds.
So you need to protect already open ones: authentication, filtering by IP / mac, fail2ban, authorization by certificate, etc.