xrdp filter setting for fail2ban

Question

Regex

[Definition]
failregex = AUTHFAIL: .* ip=<HOST>
ignoreregex =
datepattern = %%Y%%m%%d-%%H:%%M:%%S

Jail

jail.local

 [xrdp]
enabled = true
port = 3389
filter = xrdp
logpath = /var/log/xrdp-sesman.log
maxretry = 3
bantime = 1800

log I am monitoring

[20230402-19:05:40] [INFO ] AUTHFAIL: user=qwqwe ip=192.168.50.76 time=1680480340

Using Ubuntu 20.04 THANKS!!!

In fail2ban.log I do not get a message that it is working. i need help

Answer 1

I am using Fail2ban v1.0.2 & Package: xrdp (0.9.21.1-1) on Debian.

My filter & jail.local config are exactly the same as yours, except that I am using my defaults for maxretry and bantime.

Fail2ban works properly with those configurations for me and bans like it should.

You should verify your jail is starting correctly in fail2ban.log:

2023-04-04 18:59:40,573 fail2ban.jail           [8705]: INFO    Jail 'xrdp' started

and run fail2ban-client to test for configuration problems:

$ fail2ban-client -t