Hi, I'm not sure if this a real bug, but it makes configuration very difficult for service ssh and e.g. ftp.
One failed ftp connect with an invalid user or a wrong password is considered one attack with score 10 which is fine.
But one ssh connect with an invalid user or wrong passwort is considered two attacks, thus score 20. The initial "invalid user" or "Authentication failure" will cause the first attack to be counted. Subsequent wrong passwords won't sum up, so can enter a wrong password three times until ssh closes the connection, or press Ctrl-C. However, closing the connection will spit the "Connection closed ... [preauth]" which will count a second time.
Thus, one failed ssh connection has 20, one failed ftp connection has 10. Therefore it's impossible to setup sth. like "5 failed accounts are ok, then block". ftp will block after 5 failures, but ssh will already during the 3rd.
I guess you have amethod to group messages together, so that they don't sum up. Likely the closing message should go into that group, too, if it matches former connection or authentication failure messages?