I installed OSSEC HIDS in a Ubuntu 18.04 LTS server in a Virtualbox virtual machine, for testing purposes.
After OSSEC I installed fail2ban and started to test it.
fail2ban is configured by me for banning an IP after 4 wrong login attempts via ssh.
So, I tried to ssh connect to my server from another virtual machine, and after 3 attempts (not 4) I was disconnected and apparently banned for about 600 seconds.
Now, I wondering what could be happened.
It cannot be fail2ban to have banned me, because fail2ban registered only 2 attempts and did not ban me.
Is it perhaps OSSEC configured by default to ban an IP after 3 wrong ssh login attempts?
I could not find documentation.
I noticed that fail2ban enters into play only if there is long time between two failed ssh login attempts.