Fail2Ban DROP instead REJECT

iptables-blocktype.conf

#Depending on version one of the following files must exist

root@host:/ nano /etc/fail2ban/action.d/iptables-blocktype.conf

or 

root@host:/ nano /etc/fail2ban/action.d/iptables-common.conf


comment the line
#blocktype = REJECT --reject-with icmp-port-unreachable

create the line
blocktype = DROP

Write it to iptables-common.local

Why is the default REJECT? Surely DROP is better?

Because it not sending packet back. So not using your outgoing traffic.
Also attacker doesn't known if packet reach the destination.
He will wait establishing TCP connection until timeout. So he is using more resources.

Exactly my point, so why isn't DROP used?

an old but related conversation
fail2ban/fail2ban#507

What's crazy is that one of the commenters posted firewalling best practices, which said that DROP harms legitimate users.... which is the reason to use DROP in this one specific situation, because in this case you know for sure this is an illegitimate user. Also DDOS is that much worse when you have to respond eating your uplink bandwidth.

Agreed, the default should be DROP. Legitimate users shouldn't be effected because legitimate users shouldn't banned.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 95097
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 483
|- Total banned: 1785
DROP, REJECT, Same fight. I don't understand why connection attempts continue while IP addresses are banned.
[...]
root (111.229.48.141): 45 Time(s)
root (119.29.105.3): 45 Time(s)
root (138.68.106.62): 45 Time(s)
root (156.54.174.197): 45 Time(s)
root (202.100.188.108): 45 Time(s)
root (37.139.7.127): 45 Time(s)
root (68.183.126.143): 45 Time(s)
[...]
Does anyone have any idea?

I think REJECT is very strange choice for default.
I've realize it when found a lot of ICMP traffic from me. It customizes easy, but a lot of people will not change it.
I've read #507 and I'm not agree.