1)Yes by default we match all cases, you can change that if you don’t want to match all cases. More details are listed in nxauth.conf file.
2)nxd.conf matches connections through NX protocol. So it’s purpose can be to restrict number of connections, by default we do that if there are more than 20 connections in last 5 seconds.
3)nxd jail’s purpose is to ban remote hosts that are making too much connections in a very little timeframe, so we set it to 5 seconds.
IPs that get banned from both of those filters end up in fail2ban.log I am worried that if someone like me uses the recidive filter, nxd could potentially trigger it to ban an IP for a very long time, I guess the 5 seconds findtime and 20 retries will stop it from doing that.