Anecdote: I know I'm not a very big target, but disabling password authentication and using fail2ban has kept all of my servers and home machines safe and hacker free for multiple years now. Even during the Debian SSH key fiasco, fail2ban would lock out would-be brute-forcers early enough that they weren't able to exploit my weak SSH key before I could get home from vacation, regenerate my key, and distribute it to all my machines.