Use normal throttle instead of 1 hour bans for the Git and JWT failed auth rate limit
Problem
Throttling by banning the whole IP with 403s for an hour is confusing to debug, and is unnecessarily harsh on legitimate users who unintentionally trigger the ban. E.g. https://gitlab.com/gitlab-com/support-forum/issues/3274
Proposal
Switch to normal throttle behavior for Git and JWT requests, counting only failed auth requests (as we already do). Respond to all Git and JWT requests with 429 if the failed auth requests have exceeded the rate limit.
This way, both "smart" and "dumb" brute force attempts would still be mitigated as effectively as they are currently. And legitimate users wouldn't get blocked from GitLab.com and switch to a competitor.
What benefit do we get from the current fail2ban behavior?
When the offender (intentional or not) actually goes over the limit, the site load and number of attempts are drastically reduced with a ban rather than a regular throttle.
Whereas an attacker with knowledge of the limit would be mitigated equally effectively with a ban as with a regular throttle.