I'm trying to set up fail2ban to monitor our traefik access logs but I'm not getting fail2ban to actually ban anything even though fail2ban-regex shows a lot of matches.
I've also specified loglevel = HEAVYDEBUG for fail2ban but it's not logging anything special to my logtarget (/var/log/fail2ban.log)
I've checked that pyinotify is installed. I also tried switching for a polling backend but the results are all the same.
fail2ban version: 0.11.1-1
Ubuntu version: Ubuntu 20.04.6 LTS
This is the output I'm getting from fail2ban-regex:
Use failregex filter file : wordpress-general-forceful-browsing, basedir: /etc/fail2ban
Use datepattern : "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
Use log file : /opt/traefik/logs/access.log
Use encoding : UTF-8
Results
=======
Failregex: 488 total
|- #) [# of hits] regular expression
| 1) [488] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-CONTAINER>.*</F-CONTAINER>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-
Ignoreregex: 128 total
|- #) [# of hits] regular expression
| 1) [128] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-REQUESTHOST>.*</F-REQUESTHOST>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*(\.png|\.webp|\.jpe?g|\.gif|\.mp3|\.mov|\.mp4|\.json|\.map|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-
Date template hits:
|- [# of hits] date format
| [24435] "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
`-
Lines: 24435 lines, 128 ignored, 488 matched, 23819 missed
[processed in 19.73 sec]
This is my output from fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: sshd, wordpress-auth, wordpress-general
And this is my output from /var/log/fail2ban.log
2023-04-28 15:21:29,943 fail2ban.server [1831210]: INFO Starting Fail2ban v0.11.1
2023-04-28 15:21:29,943 fail2ban.server [1831210]: INFO Daemon started
2023-04-28 15:21:29,943 fail2ban.observer [1831210]: INFO Observer start...
2023-04-28 15:21:29,951 fail2ban.database [1831210]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-28 15:21:29,952 fail2ban.jail [1831210]: INFO Creating new jail 'sshd'
2023-04-28 15:21:29,962 fail2ban.jail [1831210]: INFO Jail 'sshd' uses pyinotify {}
2023-04-28 15:21:29,965 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:29,967 fail2ban.filter [1831210]: INFO maxLines: 1
2023-04-28 15:21:29,986 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:29,986 fail2ban.filter [1831210]: INFO findtime: 600
2023-04-28 15:21:29,986 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:29,987 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:29,987 fail2ban.filter [1831210]: INFO Added logfile: '/var/log/auth.log' (pos = 461226, hash = bdb63f55b88b6f0ed320e1dc41b35bdf05ceb27e)
2023-04-28 15:21:29,988 fail2ban.jail [1831210]: INFO Creating new jail 'wordpress-general'
2023-04-28 15:21:29,988 fail2ban.jail [1831210]: INFO Jail 'wordpress-general' uses pyinotify {}
2023-04-28 15:21:29,991 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:29,997 fail2ban.datedetector [1831210]: INFO date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:29,997 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:29,997 fail2ban.filter [1831210]: INFO findtime: 60
2023-04-28 15:21:29,998 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:29,998 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:29,998 fail2ban.filter [1831210]: INFO Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:29,999 fail2ban.jail [1831210]: INFO Creating new jail 'wordpress-auth'
2023-04-28 15:21:29,999 fail2ban.jail [1831210]: INFO Jail 'wordpress-auth' uses pyinotify {}
2023-04-28 15:21:30,002 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:30,006 fail2ban.datedetector [1831210]: INFO date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO findtime: 60
2023-04-28 15:21:30,006 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:30,007 fail2ban.filter [1831210]: INFO Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:30,008 fail2ban.jail [1831210]: INFO Jail 'sshd' started
2023-04-28 15:21:30,009 fail2ban.jail [1831210]: INFO Jail 'wordpress-general' started
2023-04-28 15:21:30,010 fail2ban.jail [1831210]: INFO Jail 'wordpress-auth' started