I'm trying to configure fail2ban to block ssh from a local hosts. Fail2ban is install on CentOS 7 with firewall (Linux 3.10.0-229.4.2.el7.x86_64 x86_64 ). I have copied the jail.conf to jail.local i have change the following parameters in jail.local:

banaction = firewallcmd-new
enabled = true
maxretry = 5
port = ssh
logpath = /var/log/secure
action = firewallcmd-ipset

And i have no results. Any idea ?

Some log info:

Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server         [2487]: INFO    Starting Fail2ban v0.9.1
Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server         [2487]: INFO    Starting in daemon mode
Jun 23 07:21:33 localhost.localdomain systemd[1]: Started Fail2Ban Service.

2015-06-23 07:14:27,571 fail2ban.server         [1926]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:14:27,710 fail2ban.database       [1926]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:14:27,788 fail2ban.jail           [1926]: INFO    Creating new jail 'sshd'
2015-06-23 07:14:27,923 fail2ban.jail           [1926]: INFO    Jail 'sshd' uses poller
2015-06-23 07:14:27,985 fail2ban.filter         [1926]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:14:27,985 fail2ban.jail           [1926]: INFO    Initiated 'polling' backend
2015-06-23 07:14:28,063 fail2ban.filter         [1926]: INFO    Added logfile = /var/log/secure
2015-06-23 07:14:28,064 fail2ban.filter         [1926]: INFO    Set maxRetry = 2
2015-06-23 07:14:28,066 fail2ban.filter         [1926]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:14:28,066 fail2ban.actions        [1926]: INFO    Set banTime = 86400
2015-06-23 07:14:28,067 fail2ban.filter         [1926]: INFO    Set findtime = 600
2015-06-23 07:14:28,068 fail2ban.filter         [1926]: INFO    Set maxlines = 10
2015-06-23 07:14:28,158 fail2ban.server         [1926]: INFO    Jail sshd is not a JournalFilter instance
2015-06-23 07:14:28,459 fail2ban.jail           [1926]: INFO    Jail 'sshd' started
2015-06-23 07:21:32,667 fail2ban.server         [1926]: INFO    Stopping all jails
2015-06-23 07:21:33,181 fail2ban.jail           [1926]: INFO    Jail 'sshd' stopped
2015-06-23 07:21:33,188 fail2ban.server         [1926]: INFO    Exiting Fail2ban
2015-06-23 07:21:33,404 fail2ban.server         [2489]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:21:33,406 fail2ban.database       [2489]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:21:33,409 fail2ban.jail           [2489]: INFO    Creating new jail 'sshd'
2015-06-23 07:21:33,413 fail2ban.jail           [2489]: INFO    Jail 'sshd' uses poller
2015-06-23 07:21:33,433 fail2ban.filter         [2489]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:21:33,433 fail2ban.jail           [2489]: INFO    Initiated 'polling' backend
2015-06-23 07:21:33,438 fail2ban.filter         [2489]: INFO    Added logfile = /var/log/secure
2015-06-23 07:21:33,439 fail2ban.filter         [2489]: INFO    Set maxRetry = 3
2015-06-23 07:21:33,440 fail2ban.filter         [2489]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:21:33,441 fail2ban.actions        [2489]: INFO    Set banTime = 86400
2015-06-23 07:21:33,442 fail2ban.filter         [2489]: INFO    Set findtime = 600
2015-06-23 07:21:33,442 fail2ban.filter         [2489]: INFO    Set maxlines = 10
2015-06-23 07:21:33,501 fail2ban.server         [2489]: INFO    Jail sshd is not a JournalFilter instance
2015-06-23 07:21:33,599 fail2ban.jail           [2489]: INFO    Jail 'sshd' started

And SELinux is disabled.

  • 27
  • 1
  • 8
  • What on earth would you need to firewall off as a fail2ban from local host on ssh for..? We can answer more effectively if you clarify this – Timothy Frew Jan 24 '19 at 00:18
  • check http://www.fail2ban.org/wiki/index.php/FAQ_english to make sure fail2ban works well, also check user and root timezone – netawater Dec 11 '21 at 03:40

3 Answers3


If you're on a newer version of fail2ban, the chains are lazily created. Maybe this answer helps with debugging.

  • 141
  • 5


fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

It should has n matched. If not check your failregex.

Then run

sudo fail2ban-client set loglevel DEBUG

Check fail2ban.log to see if it accesses sshd logfile(auth.log or secure).

If above are OK, please check timezone, fail2ban use system timezone, if log file doesn't use, it cause findtime out of action.

Nigel Alderton
  • 942
  • 3
  • 9
  • 18
  • 101
  • 2

In the file below,

/etc/fail2ban/jail.conf (note if you are using jail.local the same can be applied there also) try changing auto to gamin or polling

Note: if systemd backend is chosen as the default but you enable a jail for which logs are present only in its own log files, specify some other backend for that jail (e.g. polling) and provide empty value for journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200

So, changing

backend = auto


backend = gamin 


backend = polling

Worked for me.

  • 3,639
  • 10
  • 26
  • 36
  • 1
  • 1