This turns out to be covered by https://github.com/geerlingguy/ansible-role-security, which we're already using. The config is slightly different than what Mythic seem to have set up, though I'm not sure what difference it makes nor if we want to diverge from what that role offers.
Ah, looks like it should be easier than I expected to tweak the config -- there's a security_fail2ban_custom_configuration_template which we could set if we wanted.
This turns out to be covered by https://github.com/geerlingguy/ansible-role-security, which we're already using. The config is slightly different than what Mythic seem to have set up, though I'm not sure what difference it makes nor if we want to diverge from what that role offers.