Are there any class A OS that don’t use that location?
It doesn’t need the .conf on the end which would actually ignore any .local files that you may have created.
That’s my concern, f2b is not actually working with apache logs on Virtualmin.
Maybe the jail is not configured correctly ? I would have thought it would use the global jail config if none was specified ??
I had this with ubuntu, turned out to be the wrong setting in jail.conf
I changed this to auto from (If I remember correctly) pynotify and restarted fail2ban then everything worked
Who has the curiosity to look in the /var/log directory, there is a file created by Fail2Ban named fail2ban.log that provides enough information about what happens in the backstage (filters, actions and many others).
Why doesn’t Fail2Ban work?
- check if the Fail2Ban server is running
- check the failregex values in filters
- check the jail.local file if all jails are created correctly
- check the bantime and the action (iptables, ipset, firewalld, …)
The Fail2Ban manual is not at all complicated at first reading
BTW - no issues in production with a Debian 12, but still keeping an eye on logs.
That’s how I found out the backend was wrong
Another observation on RHEL9.
Webmin list of Log Filters ignores .local files even though they work - with or without a matching .conf file.
Same when editing Jails, .local files don’t show up unless you manually edit it into jail.local. They still work though.
I have f2b working with multiple logs on virtualmin including xmlrpc bans for Wordpress sites. You will need to dig deeper into f2b log using debug settings and look at the output from the cli showing current settings and configurations. F2b works very well but you need the logs to see what is happening.
I thought RTFM advice died at the end of the last century?
By simply comparing jails that work on a non-Virtualmin server, I found that adding these 2 lines to the jail got it working.
logpath = /var/log/virtualmin/*access_log
backend = auto
Delete the exiting logpath line first.
There might be good reasons why Virtualmin changes the backend compared to Webmin on a stand alone server with the same OS.
Howdi
F2B is working, I just cant get the this particular instance of banning xmlrpc.php attempts to work. F2B has always worked.
All Jails including the one that is not working appears to load correctly.
2023-08-19 21:45:35,703 fail2ban.server [3457551]: INFO Reload all jails
2023-08-19 21:45:35,703 fail2ban.filtersystemd [3457551]: INFO [sshd] Removed journal match for: ‘’
2023-08-19 21:45:35,703 fail2ban.filtersystemd [3457551]: INFO [proftpd] Removed journal match for: '’
2023-08-19 21:45:35,703 fail2ban.filtersystemd [3457551]: INFO [postfix] Removed journal match for: ‘’
2023-08-19 21:45:35,704 fail2ban.filtersystemd [3457551]: INFO [dovecot] Removed journal match for: '’
2023-08-19 21:45:35,704 fail2ban.server [3457551]: INFO Reload jail ‘sshd’
2023-08-19 21:45:35,705 fail2ban.filter [3457551]: INFO maxLines: 1
2023-08-19 21:45:35,706 fail2ban.filtersystemd [3457551]: INFO [sshd] Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
2023-08-19 21:45:35,706 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,706 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,706 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,707 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,707 fail2ban.server [3457551]: INFO Reload jail ‘webmin-auth’
2023-08-19 21:45:35,707 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,708 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,708 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,708 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,708 fail2ban.server [3457551]: INFO Reload jail ‘proftpd’
2023-08-19 21:45:35,709 fail2ban.filtersystemd [3457551]: INFO [proftpd] Added journal match for: ‘_SYSTEMD_UNIT=proftpd.service’
2023-08-19 21:45:35,709 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,709 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,709 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,709 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,709 fail2ban.server [3457551]: INFO Reload jail ‘postfix’
2023-08-19 21:45:35,710 fail2ban.filtersystemd [3457551]: INFO [postfix] Added journal match for: ‘_SYSTEMD_UNIT=postfix.service’
2023-08-19 21:45:35,710 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,710 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,710 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,710 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,711 fail2ban.server [3457551]: INFO Reload jail ‘dovecot’
2023-08-19 21:45:35,711 fail2ban.datedetector [3457551]: INFO date pattern '': {^LN-BEG}TAI64N
2023-08-19 21:45:35,711 fail2ban.filtersystemd [3457551]: INFO [dovecot] Added journal match for: ‘_SYSTEMD_UNIT=dovecot.service’
2023-08-19 21:45:35,712 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,712 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,712 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,712 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,712 fail2ban.server [3457551]: INFO Reload jail ‘postfix-sasl’
2023-08-19 21:45:35,713 fail2ban.filter [3457551]: INFO maxRetry: 5
2023-08-19 21:45:35,713 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,713 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,713 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,714 fail2ban.server [3457551]: INFO Reload jail ‘wordpress’
2023-08-19 21:45:35,714 fail2ban.filter [3457551]: INFO maxRetry: 1
2023-08-19 21:45:35,714 fail2ban.filter [3457551]: INFO findtime: 600
2023-08-19 21:45:35,714 fail2ban.actions [3457551]: INFO banTime: 600
2023-08-19 21:45:35,714 fail2ban.filter [3457551]: INFO encoding: UTF-8
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘sshd’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘webmin-auth’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘proftpd’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘postfix’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘dovecot’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘postfix-sasl’ reloaded
2023-08-19 21:45:35,715 fail2ban.server [3457551]: INFO Jail ‘wordpress’ reloaded
2023-08-19 21:45:35,717 fail2ban.server [3457551]: INFO Reload finished.
Now the interesting thing here is I am seeing reference to fail2ban.filtersystemd , I could be way off the mark here like I said I know nothing about F2B but is it reading the logs from Journal (systemd logs) and not the logs from syslog ? That could explain why everything work except the new jail I’m trying to set up ???
Michael
well can you post the filter and jail file here for all to see thanks
where did you add the backend = auto in the jail file ?
OK BINGO … this one worked for me. its now banning xmlrpc.php requests.
I want to say thankyou to all here very much appreciated.
And thanks Randomz for the final piece of the puzzle.
So question, what exactly does backend = auto do ???
Thanks
Michael
did you not read post 44 ?
yes I did, but found it a little vague. I was about to go and read that github link for a better understanding.
Thanks
Under Virtualmin the backend is set to systemd, yet on a system without Virtualmin - but still managed by Webmin it is set to “auto”.
I would be interested for any comments from staff.
That’s what I found…
These won’t mean much unless you have the jail.conf and other config files. A lot of the settings are configured and overwritten locally. here are my files for a non-wordpress log detecting xmlrpc and reporting abuses to abuseipdb.com
[wp-xmlrpc2]
#this is for lancairtalk logs, not using Wordpress log format
enabled = true
filter = wp-xmlrpc2
logpath = /var/log/virtualmin/lancairtalk.net_access_log
/var/log/virtualmin/lancairsforsale.com_access_log
bantime.increment = true
bantime.factor = 4
bantime.maxtime = 18w
findtime = 60d
maxretry = 1
bantime = 60d
port = 0-65535
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_category="21", matches="xmlrpc attack blocked attempt from fail2ban"]
and the filter
# Fail2Ban filter for WordPress hard failures
# for use on lancairtalk non-wordpress logs
[INCLUDES]
before = common.conf
[Definition]
#_daemon = (?:wordpress|wp)
datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\]
#failregex = <HOST> .*POST .*xmlrpc.php
# <HOST> .*POST .*wp-login.php
failregex = ^<HOST>.*-.*"(GET|POST|HEAD).*xmlrpc.*
^<HOST>.*-.*"(GET|POST|HEAD).*wp-login.php
ignoreregex =
# https://talk.plesk.com/threads/custom-fail2ban-login-wordpress-not-working.342079/
1 Like
Thanks, question how are you using abuseIPdb in blocking connections ? I cant find anything remotely coherent in the last couple of hours ? (plenty on submitting IPs)
Michael