Fail2Ban Sample Configuration is Outdated

[61214577]

Description

The provided fail2ban configuration is outdated and does not work. The format of the access log has apparently been changed.

This is what an entry on the access log looks like:

Failed login attempt {"remoteAddress":"::ffff:127.0.0.1","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0","timestamp":1573554454}

This does not match with the fail regex provided in the sample fail2ban configuration:

failregex = ^INFO\s+Failed login attempt\s+{\"password\":\"(\\.|[^"])*\",\"remoteAddress\":\"<HOST>\"
datepattern = "timestamp":{EPOCH}}$

I have attempted to modify the fail regex for the new log format but have not been able to get the syntax correct. My regex is the following:

failregex=^Failed login attempt {\"remoteAddress\":\"<HOST>\"
datepattern = "timestamp":{EPOCH}}$

I am unable to get a match when testing with fail2ban-regex.

[sr229]

@61214577 Instead of opening an issue, kindly make a PR for this instead. Thanks.

[code-asher]

Ah right the format changed. Your regex looks like it should match the new format: https://regex101.com/r/4dnbf2/1 I'm not very familiar with fail2ban; is it possible <HOST> is choking on the IPv6 address?

[61214577]

This had to do with Ubuntu's apt providing an older version of fail2ban. Support for the type of datepattern regex used in the code-server configuration was added in the v0.10. Installing the latest release from the fail2ban github repo fixed the issue.