Yeah exactly. If your password can be bruteforced in 1000 or so attempts you have bigger problems than not having fail2ban on ssh. The parent comment was suggesting someone was hacked in an hour for leaving ssh on default settings, and it's obviously not true.

You're misreading my point. I didn't recommend 'fail2ban' or claimed any machine without it is as good as compromised. I recommended removing the attack surface entirely by not exposing SSH to the public internet. The point is removing an attack surface completely instead of relying on operator competency.

Relying on a 'sane password' is like seeing the stat '1 out of 10 cars is left unlocked' and commenting 'Yeah, but those people are stupid, I'd never forget to lock mine!'. While maybe true, it's irrelevant. It's objectively safer to keep the car in a private garage (Tailscale) than to leave it on a public street. Feel free to leave your car wherever.

particularly as VPS providers typically auto assign a random character root password, suggests the weak one was specifically changed