The master sshd knows which connections have authenticated successfully, and which have not. IMO this makes the master sshd the best place to put any logic such as "no more than N/s connections with unsuccessful authentication from any remote IP" and so on.
Nico --
