diff --git a/server/core/listener.cc b/server/core/listener.cc
index 44440a3f3..3e428f28a 100644
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@@ -56,11 +56,18 @@ namespace
 class RateLimit
 {
 public:
-    bool auth_failed(const std::string& remote)
+    /**
+     * Mark authentication from a host as failed
+     *
+     * @param remote The host from which the connection originated
+     *
+     * @return True if this was the failure that caused the host to be blocked
+     */
+    bool mark_auth_as_failed(const std::string& remote)
     {
         auto& u = m_failures[remote];
         u.last_failure = Clock::now();
-        return ++u.failures >= config_get_global_options()->max_auth_errors_until_block;
+        return ++u.failures == config_get_global_options()->max_auth_errors_until_block;
     }
 
     bool is_blocked(const std::string& remote)
@@ -1030,7 +1037,7 @@ void Listener::accept_connections()
 
 void Listener::mark_auth_as_failed(const std::string& remote)
 {
-    if (rate_limit.auth_failed(remote))
+    if (rate_limit.mark_auth_as_failed(remote))
     {
         MXS_NOTICE("Host '%s' blocked for %d seconds due to too many authentication failures.",
                    remote.c_str(), BLOCK_TIME);