Authfail worked until 2 weeks ago
Up until 2 weeks ago I was running a program called authfail that worked great. If someone logs in via ssh 3 times with a failed account or password, it adds their IP address to iptables to be dropped.
Now the IP addresses show up under auth.log as they always have, but the /var/log/authfail file never gets updated. And of course the illegal login attempts don't get blocked.
I know there are other ways around this but I'd like to figure out why this isn't working.