Fail2ban failed to ... ban and monitor anything?

I have this issue in Rocky Linux 9 (LXC container) with fail2ban.
This is my [sshd] conf in jail.local :
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
enabled = true

This is what I get :
-# fail2ban-client get sshd logpath
No file is currently monitored

I have no idea what is wrong with it since it should be default, or close to the default config.
Any idea what I should do please ?

Thanks for your help

fail2ban-client get logtarget

Is value defined elsewhere in Fail2ban’s standard configuration ?

fail2ban-client -vvd 2>&1 | grep -i 'sshd_log'

 cat /etc/fail2ban/paths-common.conf  | grep -i sshd_log
my answer is:
sshd_log = %(syslog_authpriv)s

cat /etc/fail2ban/paths-common.conf  | grep -i syslog_authpriv
my answer is:
syslog_authpriv = /var/log/auth.log
sshd_log = %(syslog_authpriv)s
dropbear_log = %(syslog_authpriv)s

thank you for your reply @rlamintegrator
If i’m not mistaken, I have the same results you have :

~ » fail2ban-client -vvd 2>&1 | grep -i 'sshd_log'
returns nothing
~ » cat /etc/fail2ban/paths-common.conf  | grep -i sshd_log
sshd_log = %(syslog_authpriv)s
~ » cat /etc/fail2ban/paths-common.conf  | grep -i syslog_authpriv
syslog_authpriv = /var/log/auth.log
sshd_log = %(syslog_authpriv)s
dropbear_log = %(syslog_authpriv)s

Don’t know :frowning:
Perhaps a comparison with these results will help you

# cat /etc/redhat-release 
Rocky Linux release 9.2 (Blue Onyx)
# cat /etc/fail2ban/jail.local  | grep -v ^#
action    = %(action_mwl)s
banaction = nftables-multiport
chain     = input
enabled = true
bantime = 5m
maxretry = 10
# cat /etc/fail2ban/jail.conf  | grep -i "\[sshd\]" -A 15
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
# cat /etc/fail2ban/paths-common.conf | grep -i sshd_backend
sshd_backend = %(default_backend)s
# cat /etc/fail2ban/paths-common.conf | grep -i "sshd"
sshd_log = %(syslog_authpriv)s
sshd_backend = %(default_backend)s
# ls -la /var/log/fail2ban.log
-rw------- 1 root root 5064 Jun  3 10:02 /var/log/fail2ban.log
# ls -la /var/log/messages
-rw------- 1 root root 8701535 Jun  3 20:00 /var/log/messages
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
# fail2ban-client get loglevel
Current logging level is INFO
# fail2ban-client get logtarget
Current logging target is:
`- /var/log/fail2ban.log
# fail2ban-client get syslogsocket
Current syslog socket is:
`- auto

Thank you a lot, @rlamintegrator
In the end, it kind of solves itself but your answer (and conf) helped me figure out a few things.

  • I saved my conf files and remove fail2ban, then reinstall it again.
  • then I start configuring again but going from your conf and progressively reaching what I need.

I can confirm it’s finally working after seeing a few bans already.
My guess is, my recent upgrade fron rocky 8 to rocky 9 (which has been a bit … rocky) has messup a few files or something.
Anyway, thank you for you help.

@rlamintegrator Please use the editing tools when composing your post so that it makes it far easier to read than how you posted it (like I’ve done to edit and fix your post). Thx :slight_smile: