fail2ban seems like security theater for a keys-only SSH server, and it won't help against zero days either (unless it happens to be one that requires many attempts).

The only thing it helps with is log spam, but then why not just configure SSH to not log login failures?