SSH fails after authentication

I have my user permitted to login from 0.0.0.0 with ssh permitted, and the public key loaded.

When using putty from the LAN side all is well. From the WAN side I see this:

Using username "userX".
Authenticating with public key "userXkey"

Then the connection closes.

/ip firewall filter
add action=accept chain=input comment="Accept wireguard" dst-port=51280 protocol=udp
add action=accept chain=input comment="Accept wireguard traffic" connection-limit=100,32 src-address=10.9.9.0/24 src-address-list=""
add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist connection-state=new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=connection2
add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=connection1
add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=!bruteforce_blacklist
add action=accept chain=input comment="Input for SSH" connection-state=established,related,new dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip ssh
set forwarding-enabled=both/user

Note this is mostly a default firewall configuration with anti-bruteforcing enabled.

What am I missing to get past authentication?

All the personalized rules must be putted after local loopback and before drop all not coming from LAN

useless connection-state

bruteforce

Bruteforce prevention (in this way) = suicide
If the router doesn't have enough memory, in the event of a DDoS or "true" bruteforce attack, the router's memory will run out and the machine will overflow, rebooting or crashing.

Critical error, exiting.

Thank you for the suggestions, even about the bruteforce prevention. I've moved the custom rules after the local loopback rule and will test later.

As I'm a beginner with Mikrotik I'm learning ssh behaves differently in Mikrotik than pfSense, but I really like the Mikrotik, too.