I've installed fail2ban on a Ubuntu box (14.04) but it didn't work correctly. As I tried to inspect the reason, I discovered that the timezone which is being used by the /var/log/auth.log file is different from the system timezone. Here were what I did to change the timezone:
# rm /etc/localtime
# ln -s /usr/share/zoneinfo/Asia/Ho_Chi_Minh /etc/localtime
date command output:
# date
Sun May 4 10:38:28 ICT 2014
Then I triggered an invalid login from SSH, this is what I got:
# tailf /var/log/auth.log
May 3 23:17:01 host-1 CRON[24432]: pam_unix(cron:session): session closed for user root
May 3 23:39:24 host-1 sshd[24439]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 3 23:39:27 host-1 sshd[24439]: Invalid user roots from 123.22.x.x
May 3 23:39:27 host-1 sshd[24439]: input_userauth_request: invalid user roots [preauth]
As you can see, the system datetime is May 4 10:38, but the output of auth.log says that it is using May 3 23:39 as the time. Any explanations and solutions for this?