fail2ban apache-auth filter not detecting failed passwords

Question

I'm having trouble getting fail2ban to detect failed apache-auth attempts

The filters looks like this:

^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$

^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$

and the errors that comes up:

[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html
[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html

Neither work correctly. I would like to get them re-written so they do work but I cannot figure out how the filter works, and googling is not getting me anywhere. Most guides presume I understand the regex, which I do not.

Could anyone explain (or link to) what these parameters in the filter mean so I can modify it on my own?

Answer 1

I was having this same issue with Fail2Ban v0.8.11 and initially found your post about 13 hours after you posted. My eventual solution was to use more current apache-common.conf and apache-auth.conf files from the official GitHub repo. It now catches login attempts and then auto-bans the IP address, though I'm using ufw for the actual banning/unbanning.

Answer 2

Your error message has extra text that fail2ban wasn't expecting, to tell fail2ban to accept this extra text:

remove the $ from the end of the pattern or add .* before the $.

The $ in the rule indicates that the log line must end there however your log lines contain text after the words "Password Mismatch", removing the $ removes that restriction. .* means "allow anything" so adding that allows anything before the end of line,