[deogeo]

A permaban is an awful idea. A legitimate user who forgot their password can easily go through more than 10 failed attempts as they try variations of what they think their own password might be.

"I know I used my usual password, but did it start lower or upper case? Or camel case... did I end it with a number? Did the service require a special symbol, so I added that to the end? Or to the beginning.." - banned.

[metildaa]

Hence following current NIST guidelines which do not require regular password changes, capitals, special characters or numbers in passwords: https://www.enzoic.com/surprising-new-password-guidelines-ni...

Don't be a PITA to your users, and you've eliminated most of the "guess what password you used" game.

[Polyisoprene]

Or getting your account banned after someone failed trying to brute force it and not being able to access it due to changes in security policies.

[metildaa]

Fail2ban bans an IP address or range of IPs, not specific users.

[hombre_fatal]

That advice is pretty antiquated.

The reality is that, these days, I rent $5 worth of botnet time and make {user,password} combo login attempts from thousands of residential IP addresses.

You might think your advice is a good "might as well" elementary, but generally if people want to curl your /login page from their laptop, then they are also buying $5 scripts off Hack-Forums that automate botnet cred stuffing against your service as well. And you'll need a better gameplan than fail2ban.