I was referring to the ssh jail which uses the auth.log simply because this is the one that will get hit the most - more then ftp will. The fail2ban-regex is also just checking that the regex works. Having 19 successful matches doesn't indicate they occurred within the time frame for fail2ban to ban the attempts.
|