Mastering Development System & Network

Fail2ban-regex matches from string but not from filter.d files

I’m trying to match wordpress failed logins and I’m struggling with fail2ban configuration.

The lines I’m trying to match look like this: - - [26/Mar/2020:10:18:24 +0100] "POST /wp-login.php HTTP/1.1" 200 2044 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

My problem is that fail2ban-regex matches the lines only if used like this:

fail2ban-regex -v testlog.log “^\s-\s-\s.*\s\”POST\s/wp-login.php\sHTTP.*200”

So this works and I get some matches.

Now if I use this regex in my custom filter file:

root@srv1:~# cat /etc/fail2ban/filter.d/wordpress.conf 

before = common.conf

failregex = ^<HOST>\s\-\s\-\s.*\s\"POST\s\/wp\-login\.php\sHTTP.*200
ignoreregex =

… it’s simply not matching anymore:

Lines: 10 lines, 0 ignored, 0 matched, 10 missed

Leave a Reply

Your email address will not be published. Required fields are marked *