SSH Fail2ban jail is not processing /var/log/secure

Symptoms

• Fail2ban does not ban IP address after many SSH authorization attempts. Failed login attempts are correctly written to
/var/log/secure
but Fail2ban does not parse them to
/var/log/fail2ban.log

• SSH is configured to use password-based authentication, not key-based.
• The rsyslog service is used for log management.
• Every new failed login attempt logs into /var/log/secure with time stamp different from actual system time:

  # tail -1  /var/log/secure
  sshd[16856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10  user=root
  # date
  Sun Jan  1 18:51:43 SAST 2017

Cause

The rsyslog service is hang.

Resolution

To solve this behavior perform the following steps:

1. Connect to the server via SSH

2. Restart rsyslog process:

   # systemctl restart rsyslog.service

3. After that logs should be written to /var/log/secure in the actual system time:

   # tail -2  /var/log/secure
   sshd[16928]: PAM service(sshd) ignoring max retries; 6 > 3
   sshd[16940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10  user=root