fail2ban find matches, but does not ban

I am using fail2ban 0.9.7 on CentOS 7 along with an Apache reverse proxy, trying to ban bots trying to access my server as an open proxy, such as :

221.8.179.164 - - [10/Jun/2019:22:04:19 +0200] "CONNECT auth.riotgames.com:443 HTTP/1.1" 405 235 "-" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"

Some of these requests return 200 for some reason, although ProxyRequests is turned off.

Here is my configuration :

apache-badhosts.conf

[Definition]
failregex = ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$

ignoreregex =

jail.conf

[apache-badhosts]
port     = http,https
# I made sure this is the proper path
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1
enabled  = true

And here is the result of fail2ban-regex :

user@host /e/fail2ban> sudo fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-badhosts.conf

Running tests
=============

Use   failregex filter file : apache-badhosts, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/access_log
Use         encoding : UTF-8


Results
=======

Failregex: 10797 total
|-  #) [# of hits] regular expression
|   1) [10797] ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13813] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 13813 lines, 0 ignored, 10797 matched, 3016 missed
[processed in 2.44 sec]

fail2ban.log

The log is pretty much empty, and only shows sshd bans.

Why is fail2ban not banning IPs, although it finds matches using the regex above ?

Most probably you don't have pyinotify installed on your system which cause fail2ban to fail getting log file modifications. I had the same problem and fixed it using this.

1.

Install pyinotify

yum install python-inotify

2.

Once it's installed, edit your jail.local and put

[myjail]
...
backend = pyinotify
...

3.

systemctl restart fail2ban

Not exactly the solution to the above problem but it may will help others that come here:

For me the problem was, that fail2ban was watching the wrong logfile.

My nginx jails did not work since they used logpath = %(nginx_error_log)s which is /var/log/nginx/error.log. However, all accesses, including 4xx and 5xx, were logged to /var/log/nginx/access.log.

Exchanging %(nginx_error_log)s with %(nginx_access_log)s fixed it.

To see which log file a jail uses you can inspect the startup message of /var/log/fail2ban.log:

Creating new jail 'nginx-http-auth'
Jail 'nginx-http-auth' uses pyinotify {}
Initiated 'pyinotify' backend
Added logfile: '/var/log/nginx/error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)