Fail2ban is failing to ban VSFTPD bruteforce:
In my case with VSFTPD, with unresolvable DNS names from /var/log/secure:
Scenario: VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure
Problem: PAM sends failed login information to /var/log/secure, but the remote server’s IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.
Fix: Configure VSFTP for “dual_log_enable=YES”, and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.
[ update: you also need to adde’use_localtime=YES’ to config file of VSFTPD. otherwise, above trick not working. it took me hours to solve the problem. :(]
Source and more tips.