Fail2Ban: not detecting failed logins

Fix Fail2Ban when it does not detect failed login attempts due to wrong backend, log path, or filter configuration.

Fail2Ban: not detecting failed logins
When Fail2Ban Produces This Error
What Causes Fail2Ban to Not Detect Failed Logins
How to Fix Fail2Ban Not Detecting Failures
How to Verify the Fix

Fail2Ban: not detecting failed logins

Fail2Ban does not detect failed login attempts because the backend, log path, or filter configuration does not match the system's logging setup.

When Fail2Ban Produces This Error

fail2ban-client status sshd shows Currently failed: 0 and Total failed: 0 even though failed SSH login attempts are visible in the system logs.

What Causes Fail2Ban to Not Detect Failed Logins

The most common cause is a backend mismatch. If backend = auto selects a file-based backend but the system logs to the systemd journal (no /var/log/auth.log file), Fail2Ban monitors a nonexistent file and detects nothing.

Another cause is an incorrect logpath. If the application logs to a non-standard location, Fail2Ban's default logpath does not find the entries.

How to Fix Fail2Ban Not Detecting Failures

Set backend = systemd for services that log to the journal:
```
[DEFAULT]
backend = systemd
```

Verify the filter matches the log format:

sudo fail2ban-regex systemd-journal /etc/fail2ban/filter.d/sshd.conf

Restart Fail2Ban:
```
sudo systemctl restart fail2ban
```

How to Verify the Fix

Generate a failed login attempt and check that Fail2Ban detects it:

sudo fail2ban-client status sshd

The Currently failed counter should increment.