My custom fail2ban jail fails to load even though fail2ban-regex suggests that it should work?

security networking linux fail2ban

I've written a custom jail and filter in fail2ban for logging into my service. The log file is located in /var/log/motion/motion.log and a failed login generates a line like this:

[0:ml1] [ALR] [STR] [Nov 02 11:42:59] handle_basic_auth: motion-stream - failed auth attempt from <ip>

My jail in /etc/fail2ban/jail.local looks like this:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth.conf
logpath  = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200

And my filter in /etc/fail2ban/filter.d named motion-auth.conf looks like this:

[Definition]
failregex = \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>

When i run fail2ban-regex /var/log/motion/motion.log /etc/fail2ban/filter.d/motion-auth.conf I get a confirmation that my filter does infact function as intented:

Running tests
=============

Use   failregex filter file : motion-auth, basedir: /etc/fail2ban
Use         log file : /var/log/motion/motion.log
Use         encoding : UTF-8


Results
=======

Failregex: 186 total
|-  #) [# of hits] regular expression
|   1) [186] \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2640] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2929 lines, 0 ignored, 186 matched, 2743 missed
[processed in 1.06 sec]

But when I try to reload / restart fail2ban to add my new filter I get a message like this:

Found no accessible config files for 'filter.d/motion-auth.conf' under /etc/fail2ban
 Unable to read the filter 'motion-auth.conf'
 Errors in jail 'motion-auth'. Skipping...
OK

Does anyone know what I'm doing wrong?


Solution 1:

From the man page for jail.conf:

filter

name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without the .conf/.local extension. Only one filter can be specified.

Fail2ban is probably looking for a file named motion-auth.conf.conf.

Your jail should be:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth
...

If your filter under /etc/fail2ban/filter.d/ matchs the jail name (like here motion-auth.conf for [motion-auth], you don't need to specify the filter, it's the default value.

Related

What is the difference between zone and domain and domain name in DNS terminology?
Nginx not maching url against valid Regex (it looks valid to me and online regex testers)
Does Linux md-raid store backup metadata anywhere on the disk?
How can I make a redstone signal go more than 15 blocks?
Where and how can I earn Heart Scales?
Color changing orbs dropped by enemies in The Legend of Zelda Wind Waker HD
Am I missing something with managing happiness?
Are bounties infinite?
Why is the bottom lane called the safelane?
Which characters are in which weight groups?
How is XP calculated in Don't Starve?
What do I do with the items I find in toasters?