Cannot get match with F2B .11 and Plesk 12.5, Ubuntu 14.04

[artisticdigital]

Environment: Ubuntu 14.04, Plesk 12.5, Fail2Ban .11 (and due to this, we cannot load Fail2Ban within the Plesk Admin. and are controlling/testing it via ssh which is fine).

• [ x] You have not applied any additional foreign patches to the codebase
• [ x] Some customizations were done to the configuration (provide details below is so)
  We are writing, via php, a custom log file

The issue:

Cannot get a match of the filter to the log.

Steps to reproduce

fail2ban-regex /var/www/vhosts/firstsecurity-creditunion.com/httpdocs/fscu.log /etc/fail2ban/filter.d/fscu.local

Expected behavior

matches to be shown in testing per above, INFO to show up in Fail2Ban log - ultimately banning an IP per the jail settings

Observed behavior

Running tests
=============
Use   failregex filter file : fscu, basedir: /etc/fail2ban
Use         log file : /var/www/vhosts/firstsecurity-creditunion.com/httpdocs/fscu.log
Use         encoding : UTF-8

Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 5 lines, 0 ignored, 0 matched, 5 missed

Any additional information

Other filters/jails are producing results on the same machine, banning IP's fine. We used one of these as source for the "HOST" section of our fscu filter. We updated to .11 to provide for inclusion of the fix to piyo seeing files as paths - exact issue running .9.2

Configuration, dump and another helpful excerpts

Filter - see capture below

Jail is set as:

[FSCU]
enabled = true
port = http,https
filter = fscu
logpath = /var/www/vhosts/firstsecurity-creditunion.com/httpdocs/fscu.log
datepattern = %%b-%%d-%%H:%%M:%%S
action = iptables-multiport[name=fscu, port="http,https", protocol="tcp", chain="INPUT"]
sendmail[dest = "root", sender="fail2ban", sendername="Fail2Ban", name="fscu"]
maxretry = 6

Filter:

[Definition]
failregex = ^.* PASSWORD MISMATCH, ip=\[<HOST>\]$

Log entries are coming in as:

Jul-30-09:36:51 harley fscu: PASSWORD MISMATCH, ip=[::ffff:73.209.126.220]

Any customizations done to /etc/fail2ban/ configuration

Relevant parts of /var/log/fail2ban.log file:

preferably obtained while running fail2ban with loglevel = 4

2018-07-30 09:56:10,802 fail2ban.server         [9169]: INFO    Reload jail 'FSCU'
2018-07-30 09:56:10,802 fail2ban.filter         [9169]: INFO      maxRetry: 6
2018-07-30 09:56:10,802 fail2ban.datedetector   [9169]: INFO      date pattern `'%b-%d-%H:%M:%S'`: `MON-Day-24hour:Minute:Second`
2018-07-30 09:56:10,803 fail2ban.filter         [9169]: INFO      findtime: 1600
2018-07-30 09:56:10,803 fail2ban.actions        [9169]: INFO      banTime: 6000

Relevant lines from monitored log files in question:

[artisticdigital]

filter shown

[sebres]

Lines: 5 lines, 0 ignored, 0 matched, 5 missed

Your datepattern is only in jail (but not in filter). The fail2ban-regex tool does not know about this, so either you should provide it by start (fail2ban-regex --datepattern=%b-%d-%H:%M:%S ...) or just add it to the filter:

[Definition]
failregex = ^\s*\w+ fscu: PASSWORD MISMATCH, ip=\[<HOST>\]
datepattern = %%b-%%d-%%H:%%M:%%S

In this case you don't need it in jail.
BTW. I've changed the failregex above as fewer vulnerable.

Why it does not ban inside the server (that has correct datepattern) could have several reasons:

• see first answer in our wiki
• possibly it is the time-zone issue (see fail2ban.datedetector gives wrong year by date-times, that are logged within invalid time-zone #2149 - similar issue, because your log/date-pattern does not contain year, especially fail2ban.datedetector gives wrong year by date-times, that are logged within invalid time-zone #2149 (comment)).
  So if you look in verbose (-v) output of fail2ban-regex you can see which time it find in your case.

Thus closed.
Let me know if I should reopen it (with more info: e.g. your current time (and TZ), verbose output of fail2ban-regex, etc).

[artisticdigital]

will try these and report back; I believe the time is correct (I did see that notice) but will check that as well. Thanks for your response sebres

[artisticdigital]

That's all it was, matched/banned perfectly. Not sure where/why I was under the impression the datepattern should be in the jail - you might want document that it should be part of the filter if it's not. Thanks again.

[sebres]

it should be part of the filter

this is imho not so (at least for fail2ban >= 0.10) for the fail2ban self to work.
but for fail2ban-regexp it is as I said - either as option or inside filter (it does nothing with and don't know jail.conf).