Hey all,
I was just checking my logs and it didn’t look like fail2ban was doing much. When I looked into it further, it seems the access log has HOST at the start of the line, and the timestamp after it. fail2ban seems to assume the timestamp comes first (In the Filters section here: MANUAL 0 8 - Fail2ban it says the regex in filters applies after it’s chopped the timestamp off the beginning of the line).
I’ve fixed my setup now by changing the log format in the nginx.conf, and I’ve added a few filter patterns of my own, and everything seems to be working for me now - lots of banned IPs.
My question is, how is this working for everyone else? My searches show people with other f2b questions, but nothing about it not working at all for them. Did I do something weird somehow? Or has something changed recently (I only installed SWAG recently) and nobody noticed a change yet?