You can, for example like this:

/ip firewall filter
add action=drop chain=input comment="ssh blacklist drop" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input comment="ssh stage3 to black list" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="ssh stage2 to stage 3" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="ssh stage1 to stage 2" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="ssh new to stage1" connection-state=new dst-port=22 protocol=tcp

We add ip from each new connection to the stage1 list for one minute, if there is another attempt during this minute, then we transfer it to stage2, then to stage3, and from there to the blacklist for 30 days, which, accordingly, we drop with the first rule.

Ilya Demyanov, your decision is absolutely wrong and the account immediately gets banned for 30 days. That is, if the owner accidentally enters the wrong password, then immediately block. This is not correct logic.
It is not clear why lay out the rules without checking them at all.