Fail2Ban not logging attemps from Dropbear pt.2

Creating a bug report/issue

I have searched the existing open and closed issues

Required Information

• DietPi version | root@DietPi:~# G_DIETPI_VERSION_CORE=9 G_DIETPI_VERSION_SUB=5 G_DIETPI_VERSION_RC=1 G_GITBRANCH='master' G_GITOWNER='MichaIng' G_LIVE_PATCH_STATUS[0]='not applicable' root@DietPi:~#
• Distro version | bookworm
• Kernel version | Linux DietPi 5.10.160-legacy-rk35xx #1 SMP Wed May 15 03:04:45 UTC 2024 aarch64 GNU/Linux
• Architecture | arm64
• SBC model | Radxa3E
• Power supply used | (5V3A)
• SD card used | (SanDisk ultra)

Additional Information (if applicable)

• Software title | (fail2ban)
• Bug report ID | a1332c36-9a43-44f6-866f-ea79d3b32167

Hi, I’m connected to this problem “Fail2Ban not logging attemps from Dropbear”

In my case fail2ban is filtering the data but it’s not being logged at all…

I’ll show you my setup

root@DietPi:~# sudo fail2ban-client status dropbear
Status for the jail: dropbear
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:
`- Actions
   |- Currently banned: 3
   |- Total banned:     4
   `- Banned IP list:   183.81.169.238 212.64.211.219 192.168.1.5
root@DietPi:~# 

root@DietPi:~# cat /etc/fail2ban/fail2ban.conf
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [DEFAULT]
# loglevel = DEBUG
#

[DEFAULT]

# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: INFO
#
loglevel = DEBUG

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
#
logtarget = /var/log/auth.log

# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
#        auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ]  Default: auto
syslogsocket = auto

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

# Option: allowipv6
# Notes.: Allows IPv6 interface:
#         Default: auto
# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
#allowipv6 = auto

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory 
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 1d

# Options: dbmaxmatches
# Notes.: Number of matches stored in database per ticket (resolvable via
#         tags <ipmatches>/<ipjailmatches> in actions)
# Values: [ INT ] Default: 10
dbmaxmatches = 10

[Definition]


[Thread]

# Options: stacksize
# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
#         and must be 0 or a positive integer value of at least 32.
# Values: [ SIZE ] Default: 0 (use platform or configured default)
#stacksize = 0

root@DietPi:~# cat /etc/fail2ban/jail.conf
[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]

[dropbear]
enabled =true
daemon = dropear
logpath = /var/log/auth.log
port =22
filter = dropbear
banaction = route
action = %(banaction)s[blocktype=blackhole]
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=systemd
[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal

root@DietPi:~# cat /etc/fail2ban/jail.local
[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]

[dropbear]
enabled =true
daemon = dropear
logpath = /var/log/auth.log
port =22
filter = dropbear
banaction = route
action = %(banaction)s[blocktype=blackhole]
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=systemd

[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal

root@DietPi:~# sudo cat /etc/fail2ban/filter.d/dropbear.conf
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

prefregex = ^%(__prefix_line)s\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d <F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$

failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
ignoreregex =

root@DietPi:~# cat /var/log/auth.log
root@DietPi:~# ls -a /var/log/auth.log
/var/log/auth.log
root@DietPi:~# ls -l /var/log/auth.log
-rw-r----- 1 root adm 0 Jul  7 12:35 /var/log/auth.log
root@DietPi:~# journalctl -u fail2ban.service
Jul 07 15:44:33 DietPi systemd[1]: Started fail2ban.service - Fail2Ban Service.
Jul 07 15:44:34 DietPi fail2ban-server[486]: 2024-07-07 15:44:34,624 fail2ban.configreader   [486]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: INFO    --------------------------------------------------
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: INFO    Starting Fail2ban v1.0.2
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG   Creating PID file /var/run/fail2ban/fail2ban.pid
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.observer       [486]: INFO    Observer start...
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG   Starting communication
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.ipdns          [486]: DEBUG   IPv6 is auto
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.database       [486]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Creating new jail 'dropbear'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Jail 'dropbear' uses systemd {}
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Setting usedns = warn for FilterSystemd(Jail('dropbear'))
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Created FilterSystemd(Jail('dropbear'))
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: DEBUG   Created FilterSystemd
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Initiated 'systemd' backend
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     prefregex: '^\\s*(?:\\S+\\s+)?(?:dropbear(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?\\[\\d+\\] [A-Z][a-z]+ \\d\\d \\d\\d:\\d\\d:\\d\\d <F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: "^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\\d+$"
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\\d+)?$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: "^[Ee]xit before auth \\(user '.+', \\d+ fails\\): Max auth tries reached - user '.+' from <HOST>:\\d+\\s*$"
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO      maxRetry: 3
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO      findtime: 14400
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: INFO      banTime: 14400
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG     Add '127.0.0.0/8' to ignore list ('127.0.0.1/8')
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionstart = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionstop = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actioncheck = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionban = 'ip route add blackhole <ip>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionunban = 'ip route del blackhole <ip>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set blocktype = 'blackhole'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set name = 'dropbear'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actname = 'route'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Creating new jail 'sshd'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Jail 'sshd' uses systemd {}
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Setting usedns = warn for FilterSystemd(Jail('sshd'))
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Created FilterSystemd(Jail('sshd'))
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: DEBUG   Created FilterSystemd
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Initiated 'systemd' backend
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     prefregex: '^<F-MLFID>\\s*(?:\\S+\\s+)?(?:sshd(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO      maxLines: 1
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^refused connect from \\S+ \\(<HOST>\\)'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: "^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$"
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'    
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^User <F-USER>\\S+|.*?</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^Disconnecting: Too many authentication failures(?: for <F-USER>\\S+|.*?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.*?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.server         [486]: DEBUG     failregex: '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO      maxRetry: 3
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO      findtime: 600
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: INFO      banTime: 600
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG     Add '127.0.0.0/8' to ignore list ('127.0.0.1/8')
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionstart = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionstop = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actioncheck = ''
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionban = 'ip route add blackhole <ip>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actionunban = 'ip route del blackhole <ip>'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set blocktype = 'blackhole'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set name = 'sshd'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.CommandAction  [486]: DEBUG     Set actname = 'route'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: DEBUG   Starting jail 'dropbear'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: NOTICE  [dropbear] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Jail 'dropbear' started
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: DEBUG   Starting jail 'sshd'
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: INFO    [sshd] Jail is in operation now (process new journal entries)
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.jail           [486]: INFO    Jail 'sshd' started
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.transmitter    [486]: DEBUG   Status: ready
Jul 07 15:44:35 DietPi fail2ban-server[486]: Server ready
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: NOTICE  [dropbear] Restore Ban 183.81.169.238
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.utils          [486]: DEBUG   ffffbd5507b0 -- returned successfully 0
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: NOTICE  [dropbear] Restore Ban 192.168.1.5
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.utils          [486]: DEBUG   ffffbd5507b0 -- returned successfully 0
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: NOTICE  [dropbear] Restore Ban 212.64.211.219
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.utils          [486]: DEBUG   ffffbd5507b0 -- returned successfully 0
Jul 07 15:44:35 DietPi fail2ban-server[486]: fail2ban.actions        [486]: DEBUG   Banned 3 / 3, 3 ticket(s) in 'dropbear'
Jul 07 15:44:36 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: INFO    [dropbear] Jail is in operation now (process new journal entries)
Jul 07 15:44:36 DietPi fail2ban-server[486]: fail2ban.filtersystemd  [486]: DEBUG   [dropbear] Invalidate signaled, take a little break (rotation ends)
Jul 07 15:49:50 DietPi fail2ban-server[486]: fail2ban.actions        [486]: NOTICE  [dropbear] Unban 192.168.1.5
Jul 07 15:49:50 DietPi fail2ban-server[486]: fail2ban.actions        [486]: DEBUG   [dropbear] action 'route': unban 192.168.1.5
Jul 07 15:49:50 DietPi fail2ban-server[486]: fail2ban.utils          [486]: DEBUG   ffffbc4e70f0 -- returned successfully 0
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Processing line with time:1720363795.334499 and ip:192.168.1.5
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO    [dropbear] Found 192.168.1.5 - 2024-07-07 15:49:55
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.failmanager    [486]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 192.168.1.5:1
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Processing line with time:1720363795.657105 and ip:192.168.1.5
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO    [dropbear] Found 192.168.1.5 - 2024-07-07 15:49:55
Jul 07 15:49:55 DietPi fail2ban-server[486]: fail2ban.failmanager    [486]: DEBUG   Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 192.168.1.5:2
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.filter         [486]: DEBUG   Processing line with time:1720363796.025784 and ip:192.168.1.5
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.filter         [486]: INFO    [dropbear] Found 192.168.1.5 - 2024-07-07 15:49:56
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.failmanager    [486]: DEBUG   Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 192.168.1.5:3
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.actions        [486]: NOTICE  [dropbear] Ban 192.168.1.5
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.observer       [486]: DEBUG   [dropbear] Observer: ban found 192.168.1.5, 14400
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.utils          [486]: DEBUG   ffffbd5507b0 -- returned successfully 0
Jul 07 15:49:56 DietPi fail2ban-server[486]: fail2ban.actions        [486]: DEBUG   Banned 1 / 4, 3 ticket(s) in 'dropbear'
root@DietPi:~#

I don’t understand, you have some bans, so it captures failed attempts.
What actually do you expect? There is nothing in /var/log/fail2ban.log?

Now I see.
Dropbear doesn’t log to /var/log, it logs directly to systemd. That’s why var/log/auth.log is empty.

So your logpath in your jail.conf is unnecessary, backend=systemd is the right choice, and that is why it’s working.

You can see the logs of dropbear (and thus the login attempts made) with journalctl -u dropbear.service.

Fail2ban itself logs probably to /var/log/fail2ban.log, since it’s not executed as a systemd service.

Thanks for the explanation but what should I do to enable writing to the log file?

I ask you all this because I would like to implement GitHub - VerifiedJoseph/intruder-alert: Event dashboard for Fail2ban

Thank you

To log dropbear into /var/log/auth.log?

yes not necessarily in that file, fail2ban.log is also fine if it’s easier

You could modify the service file /lib/systemd/system/dropbear.service
and change the ExecStart= line to

ExecStart=/bin/sh -c '/usr/sbin/dropbear -EF -p "$DROPBEAR_PORT" -W "$DROPBEAR_RECEIVE_WINDOW" $DROPBEAR_EXTRA_ARGS 2>&1 | tee -a /var/log/dropbear.log | logger -t dropbear'

Which should log everything also into /var/log/dropbear.log. (I did not test this and of cource you can change the path to your likings)

Don’t forget afterwards:

sudo systemctl daemon-reload
sudo systemctl restart dropbear   

Thank you very much it works

I have one last request, I know it’s out of this world but as I explained I was doing all this to have a dashboard: GitHub - VerifiedJoseph/intruder-alert: Event dashboard for Fail2ban

So I configured the yaml file

root@DietPi:~# sudo cat docker-compose.yml 
version: '3'

services:
  app:
    image: ghcr.io/verifiedjoseph/intruder-alert:1.17.2
    container_name: intruder-alert
    environment:
      - IA_TIMEZONE=Europe/London
      - IA_SYSTEM_LOG_TIMEZONE=UTC
      - IA_ASN_DATABASE=/app/backend/data/GeoLite2-ASN.mmdb
      - IA_COUNTRY_DATABASE=/app/backend/data/GeoLite2-Country.mmdb
      - IA_LOG_FOLDER=/app/backend/data/logs
      - IA_DASH_UPDATES=true
    volumes:
      - /root/GeoLite2-ASN.mmdb:/app/backend/data/GeoLite2-ASN.mmdb:ro
      - /root/GeoLite2-Country.mmdb:/app/backend/data/GeoLite2-Country.mmdb:ro
      - /var/log/dropbear.log:/app/backend/data/logs/dropbear.log:ro
    ports:
      - '0.0.0.0:8080:8080'
    security_opt:
      - no-new-privileges:true
root@DietPi:~# 

and i have one ban but the web page

image1301×278 7.44 KB

root@DietPi:~# cat /var/log/dropbear.log
[1916] Jul 07 18:28:51 Failed loading /etc/dropbear/dropbear_dss_host_key
[1916] Jul 07 18:28:51 Not backgrounding
[1923] Jul 07 18:28:55 Child connection from 192.168.1.16:53935
[1923] Jul 07 18:28:55 Failed loading /etc/dropbear/dropbear_dss_host_key
[1923] Jul 07 18:28:58 Bad password attempt for 'root' from 192.168.1.16:53935
[1923] Jul 07 18:29:06 Password auth succeeded for 'root' from 192.168.1.16:53935
[1916] Jul 07 18:29:49 Early exit: Terminated by signal
[1923] Jul 07 18:29:49 Exit (root) from <192.168.1.16:53935>: Terminated by signal
[491] Jul 07 18:30:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[491] Jul 07 18:30:30 Not backgrounding
[499] Jul 07 18:30:30 Child connection from 192.168.1.16:53991
[499] Jul 07 18:30:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[499] Jul 07 18:31:13 Password auth succeeded for 'root' from 192.168.1.16:53991
[1779] Jul 07 18:31:40 Child connection from 192.168.1.5:52937
[1779] Jul 07 18:31:40 Failed loading /etc/dropbear/dropbear_dss_host_key
[1779] Jul 07 18:31:45 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:31:47 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:31:47 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:32:35 Exit before auth from <192.168.1.5:52937>: (user 'root', 3 fails): Error reading: Connection reset by peer
[2621] Jul 07 18:38:57 Child connection from 192.168.1.5:60020
[2621] Jul 07 18:38:57 Failed loading /etc/dropbear/dropbear_dss_host_key
[2621] Jul 07 18:38:57 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Exit before auth from <192.168.1.5:60020>: (user 'root', 3 fails): Error reading: Connection reset by peer
[2685] Jul 07 18:40:30 Child connection from 183.81.169.238:56142
[2685] Jul 07 18:40:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[2685] Jul 07 18:40:32 Bad password attempt for 'root' from 183.81.169.238:56142
[2685] Jul 07 18:40:39 Exit before auth from <183.81.169.238:56142>: (user 'root', 1 fails): Exited normally
[2690] Jul 07 18:40:39 Child connection from 183.81.169.238:54342
[2690] Jul 07 18:40:39 Failed loading /etc/dropbear/dropbear_dss_host_key
[2690] Jul 07 18:40:40 Bad password attempt for 'root' from 183.81.169.238:54342
[2690] Jul 07 18:40:41 Exit before auth from <183.81.169.238:54342>: (user 'root', 1 fails): Exited normally
[2691] Jul 07 18:40:41 Child connection from 183.81.169.238:54358
[2691] Jul 07 18:40:41 Failed loading /etc/dropbear/dropbear_dss_host_key
[2691] Jul 07 18:40:43 Bad password attempt for 'root' from 183.81.169.238:54358
[2691] Jul 07 18:40:43 Exit before auth from <183.81.169.238:54358>: (user 'root', 1 fails): Exited normally
[2693] Jul 07 18:40:43 Child connection from 183.81.169.238:54372
[2693] Jul 07 18:40:43 Failed loading /etc/dropbear/dropbear_dss_host_key
root@DietPi:~# sudo fail2ban-client status dropbear
Status for the jail: dropbear
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     9
|  `- Journal matches:
`- Actions
   |- Currently banned: 2
   |- Total banned:     3
   `- Banned IP list:   192.168.1.5 183.81.169.238
root@DietPi:~# 

If you can help me maybe it’s a big mistake on my part…

Hmm I don’t see how you could extract how many bans happened only from the dropbear logfile.
In the log you have lines like

Bad password attempt for 'root' from 183.81.169.238:54358

If fail2ban recognizes three of these lines from the same IP (or whatever treshhold you set) it will ban these IPs. But this ban is not noted in the dropbear logfile. So there is no way for the dashboard to get the number of bans just from this log, it would also need to inspect the fail2ban database/log? (I didn’t look into how the dashboard works)
So maybe your fail2ban.log is not right?

I also just noticed now in your fail2ban.conf:

But it should be logtarget = /var/log/fail2ban.log (which probably the dashboard is trying to use too?)

So my theory is, that the dashboard uses a fail2ban logfile where the ban is not noted. The ban is “old” and in another file, the original fail2ban.log?!

Thx for the reply

i fix the fail2ban config but there is no log “/var/log/fail2ban.log”

I also tried to make new bans but nothing…

root@DietPi:~# sudo fail2ban-client set dropbear unbanip 192.168.1.5
^[[A1
root@DietPi:~# journalctl -u docker.service 
Jul 07 19:27:46 DietPi systemd[1]: Started docker.service - Docker Application Container Engine.
Jul 07 19:27:55 DietPi c79bdd342481[510]: 2024-07-07 18:27:55,533 INFO Set uid to user 0 succeeded
Jul 07 19:27:55 DietPi c79bdd342481[510]: 2024-07-07 18:27:55,572 INFO supervisord started with pid 1
Jul 07 19:27:56 DietPi c79bdd342481[510]: 2024-07-07 18:27:56,584 INFO spawned: 'ia-daemon' with pid 7
Jul 07 19:27:56 DietPi c79bdd342481[510]: 2024-07-07 18:27:56,604 INFO spawned: 'nginx' with pid 8
Jul 07 19:27:56 DietPi c79bdd342481[510]: 2024-07-07 18:27:56,619 INFO spawned: 'php-fpm' with pid 9
Jul 07 19:27:57 DietPi c79bdd342481[510]: [07-Jul-2024 18:27:57] NOTICE: fpm is running, pid 9
Jul 07 19:27:57 DietPi c79bdd342481[510]: [07-Jul-2024 18:27:57] NOTICE: ready to handle connections
Jul 07 19:27:58 DietPi c79bdd342481[510]: 2024-07-07 18:27:58,099 INFO success: ia-daemon entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Jul 07 19:27:58 DietPi c79bdd342481[510]: 2024-07-07 18:27:58,100 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Jul 07 19:27:58 DietPi c79bdd342481[510]: 2024-07-07 18:27:58,102 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Jul 07 19:27:58 DietPi c79bdd342481[510]: Starting intruder alert daemon...
Jul 07 19:27:58 DietPi c79bdd342481[510]: [intruder-alert] Starting intruder alert task... 
root@DietPi:~# sudo docker-compose logs
WARN[0000] /root/docker-compose.yml: `version` is obsolete 
intruder-alert  | 2024-07-07 18:27:55,533 INFO Set uid to user 0 succeeded
intruder-alert  | 2024-07-07 18:27:55,572 INFO supervisord started with pid 1
intruder-alert  | 2024-07-07 18:27:56,584 INFO spawned: 'ia-daemon' with pid 7
intruder-alert  | 2024-07-07 18:27:56,604 INFO spawned: 'nginx' with pid 8
intruder-alert  | 2024-07-07 18:27:56,619 INFO spawned: 'php-fpm' with pid 9
intruder-alert  | [07-Jul-2024 18:27:57] NOTICE: fpm is running, pid 9
intruder-alert  | [07-Jul-2024 18:27:57] NOTICE: ready to handle connections
intruder-alert  | 2024-07-07 18:27:58,099 INFO success: ia-daemon entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
intruder-alert  | 2024-07-07 18:27:58,100 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
intruder-alert  | 2024-07-07 18:27:58,102 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
intruder-alert  | Starting intruder alert daemon...
intruder-alert  | [intruder-alert] Starting intruder alert task...
root@DietPi:~# docker-compose up -d
WARN[0000] /root/docker-compose.yml: `version` is obsolete 
[+] Running 1/0
 ✔ Container intruder-alert  Running                                                                                                                        0.0s 
root@DietPi:~# composer test
-bash: composer: command not found
root@DietPi:~# npm run watch
-bash: npm: command not found
root@DietPi:~# cat /var/log/dropbear.log
[1916] Jul 07 18:28:51 Failed loading /etc/dropbear/dropbear_dss_host_key
[1916] Jul 07 18:28:51 Not backgrounding
[1923] Jul 07 18:28:55 Child connection from 192.168.1.16:53935
[1923] Jul 07 18:28:55 Failed loading /etc/dropbear/dropbear_dss_host_key
[1923] Jul 07 18:28:58 Bad password attempt for 'root' from 192.168.1.16:53935
[1923] Jul 07 18:29:06 Password auth succeeded for 'root' from 192.168.1.16:53935
[1916] Jul 07 18:29:49 Early exit: Terminated by signal
[1923] Jul 07 18:29:49 Exit (root) from <192.168.1.16:53935>: Terminated by signal
[491] Jul 07 18:30:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[491] Jul 07 18:30:30 Not backgrounding
[499] Jul 07 18:30:30 Child connection from 192.168.1.16:53991
[499] Jul 07 18:30:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[499] Jul 07 18:31:13 Password auth succeeded for 'root' from 192.168.1.16:53991
[1779] Jul 07 18:31:40 Child connection from 192.168.1.5:52937
[1779] Jul 07 18:31:40 Failed loading /etc/dropbear/dropbear_dss_host_key
[1779] Jul 07 18:31:45 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:31:47 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:31:47 Bad password attempt for 'root' from 192.168.1.5:52937
[1779] Jul 07 18:32:35 Exit before auth from <192.168.1.5:52937>: (user 'root', 3 fails): Error reading: Connection reset by peer
[2621] Jul 07 18:38:57 Child connection from 192.168.1.5:60020
[2621] Jul 07 18:38:57 Failed loading /etc/dropbear/dropbear_dss_host_key
[2621] Jul 07 18:38:57 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Bad password attempt for 'root' from 192.168.1.5:60020
[2621] Jul 07 18:38:58 Exit before auth from <192.168.1.5:60020>: (user 'root', 3 fails): Error reading: Connection reset by peer
[2685] Jul 07 18:40:30 Child connection from 183.81.169.238:56142
[2685] Jul 07 18:40:30 Failed loading /etc/dropbear/dropbear_dss_host_key
[2685] Jul 07 18:40:32 Bad password attempt for 'root' from 183.81.169.238:56142
[2685] Jul 07 18:40:39 Exit before auth from <183.81.169.238:56142>: (user 'root', 1 fails): Exited normally
[2690] Jul 07 18:40:39 Child connection from 183.81.169.238:54342
[2690] Jul 07 18:40:39 Failed loading /etc/dropbear/dropbear_dss_host_key
[2690] Jul 07 18:40:40 Bad password attempt for 'root' from 183.81.169.238:54342
[2690] Jul 07 18:40:41 Exit before auth from <183.81.169.238:54342>: (user 'root', 1 fails): Exited normally
[2691] Jul 07 18:40:41 Child connection from 183.81.169.238:54358
[2691] Jul 07 18:40:41 Failed loading /etc/dropbear/dropbear_dss_host_key
[2691] Jul 07 18:40:43 Bad password attempt for 'root' from 183.81.169.238:54358
[2691] Jul 07 18:40:43 Exit before auth from <183.81.169.238:54358>: (user 'root', 1 fails): Exited normally
[2693] Jul 07 18:40:43 Child connection from 183.81.169.238:54372
[2693] Jul 07 18:40:43 Failed loading /etc/dropbear/dropbear_dss_host_key
[2693] Jul 07 18:43:14 Exit before auth from <183.81.169.238:54372>: Error reading: Connection reset by peer
[4313] Jul 07 19:18:59 Child connection from 64.62.156.111:35479
[4313] Jul 07 19:18:59 Failed loading /etc/dropbear/dropbear_dss_host_key
[4313] Jul 07 19:18:59 Login attempt for nonexistent user
[4313] Jul 07 19:19:03 Exit before auth from <64.62.156.111:35479>: Exited normally
[499] Jul 07 19:27:12 Exit (root) from <192.168.1.16:53991>: Terminated by signal
[491] Jul 07 19:27:12 Early exit: Terminated by signal
[492] Jul 07 19:27:45 Failed loading /etc/dropbear/dropbear_dss_host_key
[492] Jul 07 19:27:45 Not backgrounding
[1791] Jul 07 19:29:54 Child connection from 192.168.1.16:54893
[1791] Jul 07 19:29:54 Failed loading /etc/dropbear/dropbear_dss_host_key
[1791] Jul 07 19:29:58 Password auth succeeded for 'root' from 192.168.1.16:54893
[2031] Jul 07 19:34:04 Child connection from 192.168.1.5:63060
[2031] Jul 07 19:34:04 Failed loading /etc/dropbear/dropbear_dss_host_key
[2031] Jul 07 19:34:05 Bad password attempt for 'root' from 192.168.1.5:63060
[2031] Jul 07 19:34:06 Bad password attempt for 'root' from 192.168.1.5:63060
[2031] Jul 07 19:34:06 Bad password attempt for 'root' from 192.168.1.5:63060
[2031] Jul 07 19:34:06 Exit before auth from <192.168.1.5:63060>: (user 'root', 3 fails): Error reading: Connection reset by peer
root@DietPi:~# cat /var/log/fail2ban.log
root@DietPi:~# 

at this point we should understand why fail2ban doesn’t log…

I made also some tests and it’s logging into the file fail2ban.log like it is set in my /etc/fail2ban/fail2ban.conf:

logtarget = /var/log/fail2ban.log

and

root@RPi4:~# cat /var/log/fail2ban.log
2024-07-07 00:00:07,347 fail2ban.server         [493]: INFO    rollover performed on /var/log/fail2ban.log
2024-07-07 20:42:09,081 fail2ban.filter         [493]: INFO    [vaultwarden] Ignore 192.168.178.43 by ip
2024-07-07 20:43:06,076 fail2ban.filter         [493]: INFO    [vaultwarden] Found 109.42.242.140 - 2024-07-07 20:43:05
2024-07-07 20:43:43,077 fail2ban.filter         [493]: INFO    [vaultwarden] Found 109.42.242.140 - 2024-07-07 20:43:42
2024-07-07 20:43:46,325 fail2ban.filter         [493]: INFO    [vaultwarden] Found 109.42.242.140 - 2024-07-07 20:43:45
2024-07-07 20:43:46,465 fail2ban.actions        [493]: NOTICE  [vaultwarden] Ban 109.42.242.140

Did you restart fail2ban after editing /etc/fail2ban/fail2ban.conf ?

Yeah i reboot all the system

If you know other places to look or some configuration I can gladly show you

root@DietPi:~# sudo fail2ban-client set dropbear unbanip 192.168.1.5
1
root@DietPi:~# cat /var/log/fail2ban.log
root@DietPi:~# cat /etc/fail2ban/fail2ban.conf
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [DEFAULT]
# loglevel = DEBUG
#

[DEFAULT]

# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: INFO
#
loglevel = DEBUG

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log

# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
#        auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ]  Default: auto
syslogsocket = auto

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

# Option: allowipv6
# Notes.: Allows IPv6 interface:
#         Default: auto
# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
#allowipv6 = auto

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 1d

# Options: dbmaxmatches
# Notes.: Number of matches stored in database per ticket (resolvable via
#         tags <ipmatches>/<ipjailmatches> in actions)
# Values: [ INT ] Default: 10
dbmaxmatches = 10

[Definition]


[Thread]

# Options: stacksize
# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
#         and must be 0 or a positive integer value of at least 32.
# Values: [ SIZE ] Default: 0 (use platform or configured default)
#stacksize = 0
root@DietPi:~# cat /var/log/fail2ban.log
root@DietPi:~# cat /var/log/fail2ban.log
root@DietPi:~# 

What is the output of

ls -la /var/log/fail2ban.log

root@DietPi:~# ls -la /var/log/fail2ban.log

-rw-r----- 1 root adm 0 Jul 7 09:59 /var/log/fail2ban.log

root@DietPi:~#

Ok this looks fine. So the jail and filters are working, since the bans actually happen.
Only the logging is not working, and logging is only defined in fail2ban.conf

What about

cat /lib/systemd/system/fail2ban.service

root@DietPi:~# cat /lib/systemd/system/fail2ban.service
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
PartOf=firewalld.service

[Service]
Type=simple
Environment="PYTHONNOUSERSITE=1"
ExecStart=/usr/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
RuntimeDirectory=fail2ban
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255
Environment="PYTHONNOUSERSITE=yes"

[Install]
WantedBy=multi-user.target
root@DietPi:~# 

This looks also fine, it does not use sysout for logging, so it should use the path from the fail2ban.conf.
To be honest, I don’t know why the logging is not working, maybe a fresh pair of eyes can find something @MichaIng

tldr;
original problem is solved, but to make some 3rd party app to work, it needs to read numbers of bans and some other data from /var/log/fail2ban.log, but it’s not logging into it, altough this file is set for logging in /etc/fail2ban/fail2ban.conf.

See /etc/fail2ban/fail2ban.d/97_dietpi.conf where logtarget is overridden. Create e.g. /etc/fail2ban/fail2ban.d/99_logtarget.conf to override it again with what you need. We generally prefer to whip *.d drop-in configs, so that the original config file can remain untouched and hence automatically updated with package upgrades, remains for review, changes can be easily reverted etc.

For your alert software, it does not matter where Dropbear logs to, but only where Fail2Ban logs to, isn’t it? You changed it already before posting, but reminds me that we need to fix Dropbear systemd log detection, since the upstream filter is broken with Bookworm, where Dropbear started to use a native systemd unit:

• Fix Dropbear filter when logging to STDOUT by MichaIng · Pull Request #3597 · fail2ban/fail2ban · GitHub
• fail2ban not working with dropbear (+ a hacky solution) · Issue #6665 · MichaIng/DietPi · GitHub

OT:

Interesting, this file was introduced with 8.16 (16 months ago) but is not present on my system, since my system is older. So the particular update did not created this file, it’s only created on installation?

Yes this makes sense, since we did overwrite the original config before this change. So for older installs, the override config was not required.