The sshd.config and fail2ban both work by blocking authentication requests over a specified path, thus notifying the attacker about the protection measures in place.
Wouldn't it be more desirable to not give any information to the attacker?
- SSH: Still prompt for a password, despite only key authentication is allowed and just return 'wrong password' without giving it a look?
- Fail2Ban: After n failed login attempts, reroute the attacker's traffic to a process on a different port, which from then on returns a static 'login failed' response to the attacker, indistinguishable from the servers response for wrong passwords.
Is my thought flawed? Is it possible to configure sshd or fail2ban the depicted way?