You might want to doublecheck if the fail2ban version you're using has IPv6 support -- just sayin' :-)
Conversation
It should really be about fully disabling legacy SSH password authentication. Presence of fail2ban is a strong sign of poor security.
Worth noting it's standard to be given a /64 or /56 IPv6 block. Some providers still only give a /128 but that's just poor setup on their part.
1
1) You are assuming fail2ban is only usable with SSH, but it's not.
2) It is possible to ban IP ranges, as opposed to single IP addresses.
3) It's not about A 'xor' B -- nobody is implying fail2ban should be your one and only single line of defense.
2
3
The problem with banning IP ranges is that there's a huge amount of collateral damage. Many people have an IPv6 /64 or /56 but many only have a /128. An attacker can get multiple addresses in the same block specifically to perform a denial of service attack for the rest of it.
3
Even doing banning based on a single IPv4 address can have a lot of collateral damage beyond just shared networks like a university or workplace. IPv4 has run out and CGNAT is increasingly widespread, even beyond mobile data.
IP rate limits and bans easily become a DoS vector.
1
3