I've got a big picture question that may sound silly: What's the point in blocking the attacks?

If you've got user accounts with weak passwords, then that is a problem that should probably be addressed with higher priority than the frequency of attacks.

If you've only got users with strong public keys, then attacks won't succeed anyway. Blocking them will save you some resources, but will also redirect the attackers to weaker targets. Isn't it overall better to just tank the attacks?

@samgai Not a silly question at all, it's a great question!

One reason to block ssh brute force attempts is that you may have devices on your network that you don't know are vulnerable: for example, we see lots of attempts to attack IoT devices, such as a big spike of attempts to log in to accounts associated with the Dauha backdoors when those were revealed. We also see lots fo attempts to log into routers from various vendors (Unifi, MikroTik, and Huawei).

Another is that in some cases, you don't have full control over your users. The facility we operate is cloud-like in the sense that we do control the initial configurations of sshd and can force users to use good passwords, but after that, they have root and can - and do - change configurations or set local passwords in a way that makes the vulnerable.

A third reason is that a lot of these attacks are *probably* coming from botnets that are launching a range of different kinds of attacks. So if you can easily recognize them as ssh attackers, you can block them completely, possibly saving yourself from other attacks.

Finally, they consume resources on the target machine - maybe not a lot, but heavy attacks can have a significant impact, and we want to keep this impact low.