I see a lot of agressive e.g. 2-3 failed attempt configurations that forgot to whitelist their own IP, so good job there and I just wanted to reiterate that point because it is very easy to hit 3 failed attempts.

What I did not see is what I consider the best part of fail 2 ban: with minimal knowledge of regex you can create custom filters, which means you can monitor any file for specific lines and leave it up to a simple fail2ban setting (in /etc/fail2ban/filter.d which is uneditable by the apache/nginx user) for deciding whether the offending IP has done enough to warrant a ban.

Protect drupal or wordpress installations without use of yet another plugin requiring several updates per year? Yes please.

Even more powerful, any time a web developer is sanitizing input they can simply log it when the code detects a condition they would never expect.  For instance, a log line might look like "SUSPICIOUS BEHAVIOR by [IP]: submitting data to a dropdown box that is not one of the dropdown items"  And the rest -- monitoring a user for how frequently they conduct a suspicious act and banning when appropriate -- is all handled by fail2ban.  Instead what I frequently see is a developer writing the entire logging, checking, banning, and cleanup sequence into every page load.  Just look at popular security plugins for wordpress/drupal.  If you have control of the server, fail2ban and a custom filter makes for a far better option with a fraction of the effort.