Dear Maintainer, fail2ban fails to detect login attempts when using htdigest auth in apache, so I have copied some regex lines out of apache-auth.conf from my FreeBSD 10.0 box, and now it works. Cheers Olaf
In 0.8.6-3wheezy2 it looks like the regex for _apache_error_client in the apache-common.conf isn't working any more.
We had the same problem in another filter-file by including the apache-common.conf.
The following regex fixed the problem:
_apache_error_client = \[\] \[(:?error|\S+:\S+)\] \[client <HOST>(:\d{1,5})?\]
Cheers,
Guido
I face a similar issue on Wheezy, when using basic authentication, with version 0.8.6-3wheezy3 : the authentication failures are not matched by fail2ban regex in filter apache-auth.conf It seems to come from the debian patch applied in http://security.debian.org/debian-security/pool/updates/main/f/fail2ban/fail2ban_0.8.6-3wheezy3.diff.gz : -failregex = [[]client <HOST>[]] user .* authentication failure - [[]client <HOST>[]] user .* not found - [[]client <HOST>[]] user .* password mismatch +failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$ The problem comes from the trailing \s. If I replace it with a dot, it works : failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch).*$ Here is an example of a log line generated by my Apache config : [Tue Jul 29 11:38:11 2014] [error] [client xxx.xxx.xxx.xxx] user XXXX not found: /path/ The "not found" string is followed by a ":", which explains the regex did not match. I use the standard version of Apache that comes with wheezy : 2.2.22-13+deb7u3 And my log file is configured with : CustomLog /var/log/apache2/error.log vhost_combined
On Wed, 06 Aug 2014 13:28:49 +0200 Mossroy <mossroy@free.fr> wrote: > The problem comes from the trailing \s. If I replace it with a dot, it > works : > failregex = ^%(_apache_error_client)s user .* (authentication > failure|not found|password mismatch).*$ Same issue here. Your remedy is what we came up with ourselves. [Thu Oct 02 16:36:12 2014] [error] [client 10.x.x.x] user xxxx: authentication failure for "/": Password Mismatch