I’ve been making errors with fail2ban since I went NC18.
If I remove nextcloud from the jail.d and filter.d directories, I can run fail2ban with no problem.
Nextcloud18 has changed the way I write filter and jail for fail2ban?
Nextcloud 18.0.4, CentOS 7.7
Hi,
i am also running 18.04 on centos 7.7 - just add these lines to /etc/fail2ban/jail.conf:
[nextcloud]
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
logpath = /var/log/nextcloud.log
action = %(action_mwl)s
bantime = 86400
and create /etc/fail2ban/filter.d/nextcloud.conf:
[Definition]
failregex = ^{“reqId”:".",“remoteAddr”:".",“app”:“core”,“message”:“Login failed: '.’ (Remote IP: ‘’)",“level”:2,“time”:".”}$
^{“reqId”:".",“level”:2,“time”:".",“remoteAddr”:".",“app”:“core”.",“message”:"Login failed: '.’ (Remote IP: ‘’)".}$
ignoreregex =
Restart fail2ban … tadaaa!
When I apply the sample you presented to each of the conf files, fail2ban is an error like the following
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/fail2ban.service.d
└─50-ensure-log.conf
Active: failed (Result: exit-code) since Sat 2020-05-23 23:48:41 JST; 3s ago
Docs: man:fail2ban(1)
Process: 10680 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255)
Process: 10675 ExecStartPre=/bin/sh -c umask 077; touch /var/log/fail2ban.log; restorecon /var/log/fail2ban.log >/dev/null 2>&1 (code=exited, status=0/SUCCESS)
Process: 10673 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 10680 (code=exited, status=255)
May 23 23:48:41 AAAAAAAA systemd[1]: Started Fail2Ban Service.
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: 2020-05-23 23:48:41,546 fail2ban [10680]: ERROR Failed during configuration: Bad value substitution:
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: section: [nextcloud]
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: option : action
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: key : action_mwl
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: rawval :
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: 2020-05-23 23:48:41,551 fail2ban [10680]: ERROR Async configuration of server failed
May 23 23:48:41 AAAAAAAA systemd[1]: fail2ban.service: main process exited, code=exited, status=255/n/a
May 23 23:48:41 AAAAAAAA systemd[1]: Unit fail2ban.service entered failed state.
May 23 23:48:41 AAAAAAAA systemd[1]: fail2ban.service failed.I am suspicious of the filter. I wonder if there has been any change from before?
I’m not sure if it’s the NC side or the fail2ban side.
The log format of nextcloud depends in where the access came from (web interface, webdav…). There are several long discussions (in these forums here) which all conclude that the following filter works best:
[Definition]
failregex=^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
ignoreregex =
because the single quotes around some parts are optional and it only matches relevant parts of the log message while wildcarding the rest.
Sorry, the cause was SELinux.
Hi, I think I have the same problem as you. fail2ban fails to boot because it cannot access nextcloud resources. Consider that I installed nextcloud on an external hard drive and when I try to start the fail2ban service, it crashes and tells me “Failed during configuration: Have not found any log file for nextcloud jail” despite the logpath (indicated in the nextcloud guide) is correct. How did you solve the problem with SELinux?
SELinux is preventing /usr/libexec/platform-python3.6 from getattr access on the file /path_2_your_data/nextcloud.log.
If you believe that platform-python3.6 should be allowed getattr access on the nextcloud.log file by default.
You should report this as a bug. You can generate a local policy module to allow this access.
ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver
semodule -X 300 -i my-fail2banserver.pp