I've installed fail2ban on my CentOS 5 QMail Toaster installation.

Initially I had some errors in the log that seemed to be related to the path to iptables not being set to look in /sbin. I fixed that and the start up errors have gone away.

I get notices that an IP has been banned via the ssh-iptables rule. If I look in /etc/hosts.deny and/or iptables and I don't see any instance of the IP being banned.

My question is is it a timing issue? I'm looking after the ban has been removed? I'm looking as soon as I get the email. Is fail2ban not updating the correct places? How can I verify?

Note the date on /etc/hosts.deny doesn't change so it's obviously not being touched.

I do see entries in iptables that show fail2ban is able to add entries of some sort:

fail2ban-SMTP  tcp  --  anywhere             anywhere            tcp dpt:smtp
fail2ban-SMTP  tcp  --  anywhere             anywhere            tcp dpt:smtp
fail2ban-pop3  tcp  --  anywhere             anywhere            tcp dpt:pop3
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
fail2ban-SMTP  tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain fail2ban-SMTP (3 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           

Chain fail2ban-SSH (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           

Chain fail2ban-pop3 (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere

I just never see the IP that the log and messages say has been banned.

Help!