How to add "http: TLS handshake error" to ban list

[openbayou]

I'm getting a lot of alerts with the following:

server runcloud[626]: echo: http: TLS handshake error from 87.236.176.125:43713: EOF
server runcloud[626]: echo: http: TLS handshake error from 87.236.176.143:39153: read tcp 5.161.153.41:34210->87.236.176.143:39153: read: connection reset by peer
server runcloud[626]: echo: http: TLS handshake error from 212.70.149.78:61091: tls: first record does not look like a TLS handshake

How do I add a filter to my jail.local to block the IP address? I already have a failregex to block "Bad protocol version identification" trying to access sshd.

failregex = %(known/failregex)s
            ^Bad protocol version identification '.*' from <HOST>

Thanks.

[sebres]

Well, I'm unsure why you assign this log messages to sshd, where it is obviously runcloud (and probably you'd need to protect http port (80,443) instead of sshd port (22).

Anyway, if you nevertheless need to extend sshd's failregex, you would need to match the string starting from runcloud ..., because timestamp would be captured by datepattern and server part by prefregex of sshd-filter, so it'd be something like that:

[sshd]
failregex = %(known/failregex)s
            ^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+

to test it with fail2ban-regex try this:

# replace systemd-journal with log-filename if it file-related jail:
fail2ban-regex systemd-journal 'sshd[failregex="^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+"]'

However I guess it'd be totally different jail, e. g. something like that:

[runcloud]
port = 80,443
logpath = ...
journalmatch = ...
failregex = ^\s*\S+ runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+
...
enabled = true

[openbayou]

Excellent! Thanks for the response but I'm having problems combing multiple failregex. I already have one for detecting Bad protocol version identification and when I added another failregex, fail2ban didn't restart.

failregex = %(known/failregex)s
            ^Bad protocol version identification '.*' from <HOST>
failregex = %(known/failregex)s 
            ^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+

[sebres]

Simply remove 3rd line (only one parameter specification and multiple REs each after new-line & spaces):

 failregex = %(known/failregex)s
             ^Bad protocol version identification '.*' from <HOST>
-failregex = %(known/failregex)s 
             ^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+

[sebres]

As for ^Bad protocol version identification - this RE seems to be in sshd-filter already, but as part of ddos (and aggressive) mode.
So to activate it, simply set mode = aggressive to sshd jail.

[openbayou]

Awesome! Thanks for the help!