Blacklist IP: different failure count for root

In the past year, I have quite often had to unblock a whole business center where they apparently keep using wrong email passwords while setting up new mailboxes. The world would be a better place if they just always used the correct settings and passwords, but I guess that's not realistic!

What I want to do now, is be a bit more lenient in general (like 15 failures or so), but block faster for root login attempts. I am the only person that would ever have to login on root, so I'd be comfortable even with a setting of 3 or 2 for the root account. (I don't have a static IP, so I can't just whitelist only my own IP to login on root)

Is there any way to do that? A change in a script or configuration file somewhere? I'm fine with hardcoding the number for the root account, I just don't know where to start.

Hello,

We use CSF/LFD + Directadmin BFM. CSF is configured to block temporary IP of attackers, in our configuration it blocks access only to the specific port which is under attacks. Thus if somebody bruteforce FTP then an IP of attacker will be blocked to access TCP:21 for a couple of hours, or any other time you might want. You may configure rules for SSH to block IP after 2-3 failures.

Anyway if an attacker keeps an attack even after its IP gets unblocked it will be blocked once more again and this time permanently either by CSF/LFD or by BFM+CSF.