This is a verbatim import from NetBSD's patches, but doesn't have a copyright on it. I guess I should put on the NetBSD copyright, and have Christos augment the upstream diffs.
It's the action (zero = successful login), (one = failed login).
Ideally, the code would also send successful login to zero out any bad login counts that are in progress.
e.g. - two failed logins from an IP address, and then a successful login would reset the running count of failed logins to zero for that IP address.