Firstly, the GDPR doesn't care about PII - that's an American legal term and the GDPR is an EU law. It deals with processing personal data, and the two are not the same (although there is overlap, with PD having a more expansive definition).
Secondly, consent is only one of six legal bases for processing personal data. The other five are that:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The last of those - legitimate interests - is clearly appropriate, the rights of the data subjects (i.e. the IP addresses' users) don't override the legitimate interests of securing one's machines, especially given the limited processing performed by tools like Fail2Ban.
Secondly, consent is only one of six legal bases for processing personal data. The other five are that:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The last of those - legitimate interests - is clearly appropriate, the rights of the data subjects (i.e. the IP addresses' users) don't override the legitimate interests of securing one's machines, especially given the limited processing performed by tools like Fail2Ban.