apache-auth jail is missing failures

[dleer]

I have Fail2ban v1.0.2 running an an Almalinux 8 server. The "apache-auth" jail is not detecting my tests of failed authentications. Is it an apache error_log parsing issue? The "apache-modsecurity" jail is working ok.

Examples:

[Wed May 17 10:13:41.604073 2023] [auth_basic:error] [pid 282063:tid 22499957593856] [remote 172.58.137.205:30205] AH01618: user x1234 not found: /A/admin.htm

[Wed May 17 10:13:43.357027 2023] [auth_basic:error] [pid 282063:tid 22499955492608] [remote 172.58.137.205:30205] AH01617: user x123: authentication failure for "/A/admin.htm": Password Mismatch

In jail.local,

[apache-auth]
backend = auto
logpath = /var/log/apache2/error_log
enabled = true
maxretry = 6
bantime = 5m
bantime.increment = true
bantime.maxtime = 14d

[sebres]

It looks like the _apache_error_client definition deviates a bit here from it declared in

fail2ban/config/filter.d/apache-common.conf

Line 32 in 5d9603c

_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]

This one must work for your prefix format:

fail2ban-regex /tmp/log 'apache-auth[_apache_error_client="(?:\[\] )?\[(?:auth_basic:)?(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[remote <ADDR>(:\d{1,5})?\]"]'

Either set it in Definition or DEFAULT section of filter.d/apache-common.local:

[Definition]
_apache_error_client = (?:\[\] )?\[(?:auth_basic:)?(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[remote <ADDR>(:\d{1,5})?\]

(this will also affect all apache filters using apache-common include).

Or as filter parameter directly in jail.local:

[apache-auth]
filter = %(known/filter)s[_apache_error_client="(?:\[\] )?\[(?:auth_basic:)?(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[remote <ADDR>(:\d{1,5})?\]"]
...

[dleer]

Sebres,

Thank you. That works perfectly. I was just not savvy enough with regex to solve it myself.