In Ubuntu 10.04, rsyslogd is used.
That means that, by default, it compresses repeated syslog messages like this:
Failed password for root from 18.104.22.168 port 22 ssh2
last message repeated 5 time
So, fail2ban count would be ‘1’ for the attack coming from that IP. The fix:
sudo sed -i ‘s/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/’ /etc/rsyslog.conf
sudo service rsyslog restart