Re: Not only missing 2FA
All of this comes down to a trade-off between how strong the system can be, versus how much whine you are prepared to tolerate from the users. Since the users in this case are MPs who are trusted with state secrets and are almost the highest authority in the land, I rather suspect that it is they and their great power which is the main cause of trouble.
From a sysadmin point of view, even just the simple TCP rate limit function provided by UFW is useful, in that it stops single IPs from banging away at a machine. Fail2Ban provides a much better level of protection, especially when the "findtime" is extended enough that somewhat more clever botnet attackers are detected and excluded. The problem with both is that a fat-fingered or dyslexic user will get passwords wrong, and will repeatedly get locked out until they demand that the security levels be decreased for them.
This is why 2FA is so important and so essential; use 2FA and only the dozy users who cannot follow instructions get left behind, and the cure for them is simple: get their secretary to handle all the technology for them a la Tony Blair.