The SSHGuard signature set and default settings block some addresses after just one failed login attempt (with an invalid user name):
2021-02-14T21:15:54.431024+01:00 server sshd: Invalid user fox from 18.104.22.168 port 10581
2021-02-14T21:15:54.432171+01:00 server sshguard: Attack from "22.214.171.124" on service SSH with danger 10.
2021-02-14T21:15:54.725680+01:00 server sshd: Received disconnect from 126.96.36.199 port 10581:11: Bye Bye [preauth]
2021-02-14T21:15:54.726377+01:00 server sshd: Disconnected from invalid user fox 188.8.131.52 port 10581 [preauth]
2021-02-14T21:15:54.726699+01:00 server sshguard: Attack from "184.108.40.206" on service SSH with danger 10.
2021-02-14T21:15:54.727899+01:00 server sshguard: Attack from "220.127.116.11" on service SSH with danger 10.
2021-02-14T21:15:54.727981+01:00 server sshguard: Blocking "18.104.22.168/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
That’s just a single login attempt with an invalid user “fox”, then an ordinary SSH protocol disconnect, yet the address got blocked.
Besides this, if a user mistypes their login name and types their password twice the address will also get blocked even though it was just a single SSH connection with two login attempts.
This seems far too harsh by default.
This is a bit similar to @René Neumann issue 137, but here users will not get 3 attempts to login, but only a single one in the worst case.
SSHGuard version 2.4.1, OpenSSH 8.4_p1.