Using its standard configuration, how does fail2ban block offending SSH clients?

A. By rejecting connections due to its role as a proxy in front of SSHD.
B. By modifying and adjusting the SSHD configuration.
C. By creating and maintaining netfilter rules.
D. By creating null routes that drop any answer packets sent to the client.
E. By modifying and adjusting the TCP Wrapper configuration for SSHD.