[UI_at_80x24]

Yes everyone should use key-based authentication. What fail2ban and other firewall styled security measures do is to move the point of contact on your network.

1 - You want to limit the number of times that SSHD initializes the connection handshake, this initialization period is when/where 0-day exploits can get through.

2 - With active auditing you can add the banned IP's to your edge device. Odds are that a legitimate IP won't be trying to SSH into your systems so block everything from them. I go one step further and share that banned IP list on all my edge devices.