My custom fail2ban jail fails to load even though fail2ban-regex suggests that it should work?
I've written a custom jail and filter in fail2ban for logging into my service. The log file is located in /var/log/motion/motion.log
and a failed login generates a line like this:
[0:ml1] [ALR] [STR] [Nov 02 11:42:59] handle_basic_auth: motion-stream - failed auth attempt from <ip>
My jail in /etc/fail2ban/jail.local
looks like this:
[motion-auth]
enabled = true
port = 8008
filter = motion-auth.conf
logpath = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200
And my filter in /etc/fail2ban/filter.d
named motion-auth.conf
looks like this:
[Definition]
failregex = \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
When i run fail2ban-regex /var/log/motion/motion.log /etc/fail2ban/filter.d/motion-auth.conf
I get a confirmation that my filter does infact function as intented:
Running tests
=============
Use failregex filter file : motion-auth, basedir: /etc/fail2ban
Use log file : /var/log/motion/motion.log
Use encoding : UTF-8
Results
=======
Failregex: 186 total
|- #) [# of hits] regular expression
| 1) [186] \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2640] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 2929 lines, 0 ignored, 186 matched, 2743 missed
[processed in 1.06 sec]
But when I try to reload / restart fail2ban to add my new filter I get a message like this:
Found no accessible config files for 'filter.d/motion-auth.conf' under /etc/fail2ban
Unable to read the filter 'motion-auth.conf'
Errors in jail 'motion-auth'. Skipping...
OK
Does anyone know what I'm doing wrong?
Solution 1:
From the man page for jail.conf:
filter
name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without the .conf/.local extension. Only one filter can be specified.
Fail2ban is probably looking for a file named motion-auth.conf.conf
.
Your jail should be:
[motion-auth]
enabled = true
port = 8008
filter = motion-auth
...
If your filter under /etc/fail2ban/filter.d/
matchs the jail name (like here motion-auth.conf
for [motion-auth]
, you don't need to specify the filter, it's the default value.