Drupal is a very secure content management system and provides a lot of security for website owners out of the box. Drupal 8 and 9 come with flood prevention capabilities that protect against brute force login attacks on your website. However, if you want to go that extra mile and prevent access to the user/login page to anonymous users, you can use Disable Drupal Login Page module.
The module prevents access to /user/login page when accessed without a secret key and value that the admin can configure. So all access to /user/login without the secret key-value pair will result in an access denied response. This will prevent all kinds of bot access attempts on the website.
Once you configure this module you can also decide to configure the webserver to completely prevent access to /user/login when accessed without a query string. That will ensure that these login attempts would not even bootstrap Drupal and remove that unnecessary load on the server as well.