The reality is that, these days, I rent $5 worth of botnet time and make {user,password} combo login attempts from thousands of residential IP addresses.
You might think your advice is a good "might as well" elementary, but generally if people want to curl your /login page from their laptop, then they are also buying $5 scripts off Hack-Forums that automate botnet cred stuffing against your service as well. And you'll need a better gameplan than fail2ban.