Hi
My belief is that you should only allow the ARI to be accessible to the outside world IF IT IS SECURE. PiaF has put Directory access security on this.
In standard form, your ARI access is only protected by a username which is your extension, usually 3 or 4 digits, and a number, which for most installs I've seen seems to be 4 digits.
There are methods of fraud once someone has access to the ARI, e.g. divert your phone somewhere else, or possibly use SIP injection to send calls to an expensive destination, or simply listen to your recordings or voicemails.
Also not that a failed login to the ARI does not write logs to the the http error_log, so Fail2Ban is useless in the instance. The hacker can have as many goes as he likes, and won't be blocked.
If you want to take the risk, and only if your system is not exposed to the outside world, then you can adjust /etc/pbx/httpdconf/pbx.conf to suit. But for the sake of a password that can be stored in the browser, its just not worth the risk.
Joe