fail2ban and systemd-journal

With the introduction of systemd came systemd-journal. The need of this new feature is obvious, an immutable journal of events - an uneditable system log which no hacker (or rogue sys admin) can wipe the traces of their access or any other tracks left behind.

With this new feature we no longer get an easy to read syslog, system logs are access via journalctl, so there are some changes that need to be made to have fail2ban work as expected. Just like almost everything else in the open source world there are more ways to do this than what's laid out below.

First step is to upgrade to the most recent version of fail2ban. As of v1.0.1 the functionality of systemd-journal has been added.

If you can install an up-to-date version of fail2ban all you need to do is edit  /etc/fail2ban/jail.conf to use systemd as follows:

backend = systemd

A restart of fail2ban will get it working again:

systemctl restart fail2ban

Option #2

For those on systems where an updated version of fail2ban cannot be obtained you can install rsyslog

sudo apt update && sudo apt install rsyslog

Now to make sure system authentication logs are heading to the expected place, add the following to your /etc/rsyslog.conf:

authpriv.*      /var/log/auth.log

This will allow the default fail2ban settings find the required logs. But it does come with one caveot, you must ensure the logs are rotated so they don't comsume all the storage space on the drive where they are stored.