Fail2ban on Nextcloud 18

I’ve been making errors with fail2ban since I went NC18.
If I remove nextcloud from the jail.d and filter.d directories, I can run fail2ban with no problem.

Nextcloud18 has changed the way I write filter and jail for fail2ban?


Nextcloud 18.0.4, CentOS 7.7

Hi,
i am also running 18.04 on centos 7.7 - just add these lines to /etc/fail2ban/jail.conf:

[nextcloud]
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
logpath = /var/log/nextcloud.log
action = %(action_mwl)s
bantime = 86400

and create /etc/fail2ban/filter.d/nextcloud.conf:

[Definition]
failregex = ^{“reqId”:".",“remoteAddr”:".",“app”:“core”,“message”:“Login failed: '.’ (Remote IP: ‘’)",“level”:2,“time”:".”}$
^{“reqId”:".",“level”:2,“time”:".",“remoteAddr”:".",“app”:“core”.",“message”:"Login failed: '.’ (Remote IP: ‘’)".}$
ignoreregex =

Restart fail2ban … tadaaa!

When I apply the sample you presented to each of the conf files, fail2ban is an error like the following

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/fail2ban.service.d
           └─50-ensure-log.conf
   Active: failed (Result: exit-code) since Sat 2020-05-23 23:48:41 JST; 3s ago
     Docs: man:fail2ban(1)
  Process: 10680 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255)
  Process: 10675 ExecStartPre=/bin/sh -c umask 077; touch /var/log/fail2ban.log; restorecon /var/log/fail2ban.log >/dev/null 2>&1 (code=exited, status=0/SUCCESS)
  Process: 10673 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 10680 (code=exited, status=255)

May 23 23:48:41 AAAAAAAA systemd[1]: Started Fail2Ban Service.
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: 2020-05-23 23:48:41,546 fail2ban                [10680]: ERROR   Failed during configuration: Bad value substitution:
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: section: [nextcloud]
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: option : action
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: key    : action_mwl
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: rawval :
May 23 23:48:41 AAAAAAAA fail2ban-server[10680]: 2020-05-23 23:48:41,551 fail2ban                [10680]: ERROR   Async configuration of server failed
May 23 23:48:41 AAAAAAAA systemd[1]: fail2ban.service: main process exited, code=exited, status=255/n/a
May 23 23:48:41 AAAAAAAA systemd[1]: Unit fail2ban.service entered failed state.
May 23 23:48:41 AAAAAAAA systemd[1]: fail2ban.service failed.

I am suspicious of the filter. I wonder if there has been any change from before?
I’m not sure if it’s the NC side or the fail2ban side.

The log format of nextcloud depends in where the access came from (web interface, webdav…). There are several long discussions (in these forums here) which all conclude that the following filter works best:

[Definition]
failregex=^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
          ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
ignoreregex =

because the single quotes around some parts are optional and it only matches relevant parts of the log message while wildcarding the rest.

Sorry, the cause was SELinux.