Fail2Ban not finding ssh log file

[Shikkediel]

So the service won’t start up…

I’ve figured out it’s probably because newer linux versions not writing a log file to /var/log/secure anymore. Instead it is controlled by systemd and logged in the journal.

Any idea as to how I can get Fail2Ban to find this log? I can change the logpath in the jail.local file then but do not know how to ‘filter’ the ssh data so it can be read and checked.

Many thanks in advance, googling for a few hours hasn’t given me an answer yet. Must be quite a new issue, this one.

Edit – I’m hopefully getting closer to a solution through the default backend setting. Let’s see where that goes.

[Shikkediel]

Silly minimal install by the way. Won’t even make a sandwich by default.

[Shikkediel]

I’m hopefully getting closer to a solution through the default backend setting. Let’s see where that goes.

Yep, that was it… editing the jail.local file :

[DEFAULT]

backend = systemd

Also removed the logpath from the [sshd] section.

I’ll be going with a key pair for the shell though…

[Shikkediel]

So I found this, apparently it’s still a bit tricky and somewhat of a minor bug now that systemd is default on (most?) linux versions :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171

It’s having trouble finding the correct journalmatch…
Most of the stuff you can google is from a ‘past’ era. Apart from new system defaults, Fail2Ban also had a major overhaul.

:-/

[Shikkediel]

That didn’t work either. Looks like journald is the troublemaker, I also see a lot of online issues with Apache logs. So I went with this approach and will point to (now) old fashioned log files :

Replace journald with rsyslog

Can’t hurt to temper journald a bit, I read there as well.

[Author]

Posts