Does Fail2Ban actually only bans after failed login attempts?

[etkaar]

Does Fail2Ban actually only bans after failed login attempts or also if an IP address just connects to SSH (multiple times) without at all trying to login? I ask, because I personally do not use Fail2Ban, but I found records in the abuseipdb "Fail2Ban Ban Triggered" (flags Hacking, Brute-Force) and I am not sure if that can be clearly be seen as login attempts or port scanning only.

[sebres]

Shortly: fail2ban is very dynamic tool, so this is completely depending on its configuration.

Does Fail2Ban actually only bans after failed login attempts

It depends on the filter used, or else which mode (if filter has such option) is specified in the jail.

if an IP address just connects to SSH (multiple times) without at all trying to login?

Default sshd jail has parameter mode and if it would be set to ddos or even aggressive, IPs will be also banned after several "aborts" of authentication phase or other DDoS similar flood indicators.
But nothing stop you to provide own additional failregex (rules causing a failure count) as well as use other jails, monitoring different scenarios and attack vectors.

I found records in the abuseipdb "Fail2Ban Ban Triggered" (flags Hacking, Brute-Force)
I am not sure if that can be clearly be seen as login attempts or port scanning only

abuseipdb is just an additional action of fail2ban (original or custom user action) which can be used optionally to the banning action, but it is impossible to draw any clear conclusion based on its comment or whatever flags set there.

Not an issue, so moved to discussions as question.