[FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs about fail2ban HOT 4 CLOSED

This messages are not authentication issues directly, thus don't belong to the failures in normal mode.
It is rather a matter of ddos (or aggressive) modes.

Add mode = aggressive to the jail if you want match them together with authentication failures:

  [sshd]
+ mode = aggressive
  enabled = true

from fail2ban.

mode = aggressive

i try in /etc/fail2ban/jail.local and restart fail2ban server, but it's not work, Finally, I edited and modified mode = aggressive in /etc/fail2ban/filter.d/sshd.conf and restarted the service , it's successfully.
why jail.local is not work

from fail2ban.

mode = aggressive

i try in /etc/fail2ban/jail.local and restart fail2ban server, but it's not work, Finally, I edited and modified mode = aggressive in /etc/fail2ban/filter.d/sshd.conf and restarted the service , it's successfully. why jail.local is not work

oh my bad, i find reason; filter = sshd can't work with mode = aggressive i change to filter = sshd[mode=aggressive] it's ok

from fail2ban.

Yes, default filter definition looks like this:

In this case (you haven't overwritten the default filter parameter), setting of mode would work properly.

By the way:

• don't copy jail.conf to jail.local: the later upgrade of jail.conf may not work, because parameters remain overwritten by old (previously copied) values, specified in local;
• don't put all the values to the jail (don't rewrite all of them) - put only parameters you really need to overwrite.

Otherwise exact that things could happen.
Let alone you wouldn't know later which parameters are really needed.

from fail2ban.