[kseifried]

Fail2ban could be potentially useful in an era of passwords, especially when systems allowed anyone to login remotely, and you only had the one server because servers were very expensive.

However, the moment the industry went to SSH Keys en masse, and got away from passwords, fail2ban stop serving any real purpose other than to make people feel like they had done something to improve security. Which it didn’t really, especially if you enforced key usage only for logins.

Literally, the only argument you can make is that fail2ban might reduce the number of log entries.

[zimpenfish]

> the moment the industry went to SSH Keys en masse [...] fail2ban stop serving any real purpose

That assumes people only use it for sshd, no? Which isn't the case [anecdatum] for me, at least - I use it for ssh, http (several servers), imap, smtp, mqtt, etc. Make a request for phpMyAdmin pages on my server? 10 day timeout for you, sir. IMAPS connection with incorrect username? 10 days in the bin. etc.

Yeah, it reduces log entries but it also reduces unwanted resource consumption and keeps my servers working instead of chugging under non-useful load.

[seized]

Fail2ban can parse other logs and taken other actions. I have it on my NVR VM, reading the logs from the old Unifi NVR software. Three failed attempts and Fail2ban runs a script that does an API call to my OpnSense firewall to ban that IP from every port. Forever. Haproxy also monitors the HTTP response codes and drops the TCP connection, allowing the block to happen once the bad IP tries to reconnect.

So it's not just for password based SSH.