I face a similar issue on Wheezy, when using basic authentication, with version 0.8.6-3wheezy3 : the authentication failures are not matched by fail2ban regex in filter apache-auth.conf
It seems to come from the debian patch applied in http://security.debian.org/debian-security/pool/updates/main/f/fail2ban/fail2ban_0.8.6-3wheezy3.diff.gz : -failregex = [[]client <HOST>[]] user .* authentication failure - [[]client <HOST>[]] user .* not found - [[]client <HOST>[]] user .* password mismatch +failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$ The problem comes from the trailing \s. If I replace it with a dot, it works : failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch).*$ Here is an example of a log line generated by my Apache config : [Tue Jul 29 11:38:11 2014] [error] [client xxx.xxx.xxx.xxx] user XXXX not found: /path/ The "not found" string is followed by a ":", which explains the regex did not match. I use the standard version of Apache that comes with wheezy : 2.2.22-13+deb7u3 And my log file is configured with : CustomLog /var/log/apache2/error.log vhost_combined -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
