Just a short note for fail2ban users (and me) which is already stated at the end of FAQ:
“So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)”
# date Wed Nov 28 13:49:02 CET 2007 # tail -2 /var/log/auth.log Nov 28 13:39:12 sudo: pam_unix(sudo:session): session opened for user root by user(uid=0) Nov 28 13:39:12 sudo: pam_unix(sudo:session): session closed for user root
If time reference is not the same everywhere, then fail2ban won’t ban any IP!”
That means if you somehow played with your timezone (e.g. ran
dpkg-reconfigure tzdata command) and the time information from your auth.log and date does not match anymore then fail2ban is not going to block / ban the IP addresses that it should even though it matched them perfectly.