I have an Ubuntu 22.04 server running Unifi Network Application 7.1.65. I’m trying my best to harden the server so I’ve enabled UFW and opened up these ports: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
Now I’d like to get Fail2Ban working but I can’t get it to match any lines from my log files. The default date pattern is not what Unifi uses, which looks like this:
[2022-05-18T18:23:16,677] WARN api - failed to authenticate to SSO: Cloud operation failed! RC=403, error: {“detail”
:“Invalid credential”}
I’ve tried several datepattern options and what seems like every vatiation thereof:
.%%Y-%%m-%%d[T]%%H:%%M:%%S,%%f.
[%%Y-%%m-%%d[T]%%H:%%M:%%S,%%f]
[%%Y-%%m-%%dT%%H:%%M:%%S,%%f]
\[%%Y-%%m-%%d\T%%H:%%M:%%S,%%f\]
In every case, the result of running the test
fail2ban-regex /var/log/unifi/server.log /etc/fail2ban/filter.d/unifi.conf
is always this:
Running tests
=============
Use failregex filter file : unifi, basedir: /etc/fail2ban
Use datepattern : .%Y-%m-%d[T]%H:%M:%S,%f. : .Year-Month-Day[T]24hour:Minute:Second,Microseconds.
Use log file : /var/log/unifi/server.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [75496] .Year-Month-Day[T]24hour:Minute:Second,Microseconds.
`-
Lines: 75655 lines, 0 ignored, 0 matched, 75655 missed
[processed in 13.60 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 75655 lines
Or I just get python errors in the output depending on my combination of square brackets.
For starters I had to randomly stumble across the formatting for Mircroseconds (%f), I’d been using the man page for date to figure it out and %f is not documented. Fail2Ban has no reference list for this either.
I’ve been at this for half the day trying different variations and searching for examples. I cam across this script early on: Glenn R. but something must have changed a few versions ago because the script no longer gets things working.
Any help is greatly appreciated.