But it also helps in reducing the load on your servers when, e.g., instead of 300+ login attempts per minute on your mail ports, you get 20 because the IP gets banned for a day after 2 failures. Or, instead of nginx spending 90% of its time sending out 404s for the various PHP and MySQL holes I do not have installed, it can spend 10% of its time instead.
Particularly on my small server, fail2ban is the difference between "usable" and "on the edge of falling over".
If you’re a hobbyist sysadmin setting up a personal VPS then the security risk is your own competence in correctly configuring things the better more robust less risky way, but you can’t replace yourself with a more competent sysadmin in this scenario, so fail2ban helps to Swiss cheese model this edge case.
Excuse me, if fail2ban is frowned upon, what is the alternative to block crawlers that try to find wordpress or php endpoints on my website, two software that I don't have installed?
The idea is you don't have to block those since there is no attack surface.
I look at the imap login attempts on my server sometimes. The passwords they try are usually pathetic. Nothing close to the 15+ character actual passwords we have in use.
Particularly on my small server, fail2ban is the difference between "usable" and "on the edge of falling over".