Try some apache filters that came supplied.
You could set maxretry to 1 and bantime to 1 just to get a result in the log without doing any real damage.
My global apache logs are empty ⊠so nothing to ban 
I wonder if your on to something here âŠ
When you create a new jail or make changes to files, Fail2Ban must reload the configuration. Just restart the service or use fail2ban-client.
When you run fail2ban-regex [log file] [filter] in the results you for [number] matched. If it finds at least one match, it means that the filter is working. You can run the command cat [log file] | grep âPOST //xmlrpcâ | wc -l, to double check how many lines in the log have that string. It should be equal to what Fail2Ban finds.
Cant find the log file
cat /var/log/virtualmin/healthforlife.com.au_access_log | grep âPOST //xmlrpcâ | wc -l
grep: //xmlrpcâ: No such file or directory
0
cat: write error: Broken pipe
Ohh and yes I reload the config each time âŠ
Maybe the file is located in other place. That path is valid in a Debian machine.
The log file is definably in that location ⊠( I am on Debian). But Ill keep poking around
You can simulate that line that is recorded in the access log using the curl command. You have to do it carefully so you donât end up locking yourself up.
I would also do it in the following way, I would copy what you pasted in the first post, those lines from the log into another file and test it with regex. It is not necessary to use the webserverâs access log file when using the fail2ban-regex command.
fail2ban-regex /var/log/virtualmin/healthforlife.com.au _access_log xmlrpc
So just create a new file and populate it with the original logs ?
Please note the commands bellow are not getting the same result when working directory is not /etc/fail2ban/filter.d/
fail2ban-regex /var/log/virtualmin/domain.tld_access_log [filer_name].conf
fail2ban-regex /var/log/virtualmin/domain.tld_access_log /etc/fail2ban/filter.d/[file_name].conf
You can create a testing like this one /var/log/xmlrpc.log then paste inside a few lines you want to test (the one from this post). Run fail2ban-regex with this file and the full path to the filter. When the filter works as expected delete the test file.
The filter appears to be currently working now as shown above. when I run fail2ban-regex /var/log/virtualmin/healthforlife.com.au_access_log /etc/fail2ban/filter.d/xmlrpc.conf I get an output.
Or are you saying move the new log file to var/log and try that with the cat command ?
Or am I miss reading you here ?
Thanks
Michael
You donât have to move anything. You mentioned that you have no records in the webserâs log or that you cannot find it. I have offered you an alternative to test any filter created in Fail2Ban without using the logs created by the services.
The cat command that I showed above helps you confirm the fail2ban-regex results on that log file.
Ahh, no. I said the global logs are empty. The users apache logs are full (iâm guessing thatâs normal virtualmin operation. When I run fail2ban-regex on the user log it comes back with a match * seems to be working fine) but when I try to run cat [log file] | grep âPOST //xmlrpcâ | wc -l, it comes back as not found.
So 1 finds the file and one doesnât âŠ
Thanks
Michael
You said it is a Debian OS. Letâs run the next command and replace mydomain.tld with your domain (if this is you log actually)
root@server:~# cat /var/log/virtualmin/mydomain.tld_access_log | grep "POST " | wc -l
805
What the result says? There are 805 lines in the access log which contains the string POST + one space. If I create a filter in Fail2Ban for this string and use the fail2ban-regex command I should get 805 matches.
If I run cat /var/log/virtualmin/healthforlife.com.au_access_log | grep "POST " | wc -l
Its says
21567
So it seems to now be finding the log file ⊠correct ??
I am sorry to say it, but you didnât understand anything from the example provided. It was of a general nature, for a certain study case. I have provided you with all the necessary information to create a filter, check it in two ways, apply it to the log file and much more.
The filter is working, has been since I posted above. The issue is f2b doesnât seem to be doing any banning with it.
And dont worry, I wont take offence f2b is not my bread and butter.
Thanks
Michael