Symptom: you enabled the sshd jail but fail2ban-client status sshd shows 0 failures even though journalctl is full of failed logins. Cause: there’s no /var/log/auth.log on systemd-only distros — the data lives in the journal.

1. Tell the jail to read the journal

In /etc/fail2ban/jail.local:

[sshd]
enabled  = true
backend  = systemd
maxretry = 3
bantime  = 1h

With backend = systemd you don’t set a logpath — Fail2ban queries the journal directly.

2. (Alternative) set it for all jails

[DEFAULT]
backend = systemd

3. Reload

sudo fail2ban-client reload

4. Verify it now sees failures

fail2ban-regex "systemd-journal[_SYSTEMD_UNIT=ssh.service]" /etc/fail2ban/filter.d/sshd.conf

A non-zero matched count means the journal backend is working. Then:

sudo fail2ban-client status sshd

should start showing failures and bans.

On some systems the unit is sshd.service instead of ssh.service. If the regex above shows 0 matched, swap the unit name and re-test.

Why this happens: older guides assume rsyslog writes auth.log. Minimal modern installs drop rsyslog and keep only systemd-journald, so file-based jails silently match nothing. backend = systemd is the fix.

Fail2ban for SSH on systemd journald (no /var/log/auth.log)

1. Tell the jail to read the journal

2. (Alternative) set it for all jails

3. Reload

4. Verify it now sees failures