Fail2Ban RegEx works but filter does not

Question

my plan is to ban all accesses to my webserver which repeatedly produce 404-errors and obviously do some scanning only

For this I tried

fail2ban-regex /var/log/apache2/otheraccess.log '^<HOST>. - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$'

which reported me to have several hundred of matches. But when I add this regular expression to my fail2ban-filter

failregex = ^<HOST>.* - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png|sitemap|sitemap.txt|sitemap.xml.gz|sitemap_index.xml) to my filter, fail2.ban

it finds nothing:

# fail2ban-client status apache-404
Status for the jail: apache-404
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/apache2/access.log /var/log/apache2/other_vhosts_access.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

So...any idea what the reason could be/where to look at why the rule is ignored within fail2ban?

Thanks!

Answer 1

Let's start over and please remove all the configurations you made

---

Can you please please make a filter in filter.d like this

failregex = ^.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
ignoreregex =

---

prevent-apache-404.conf in /etc/fail2ban/filter.d

---

Then create a jail in /etc/fail2ban/jaild.d/apache404.conf

[prevent-apache-404]
enabled   = true
port      = http,https
filter    = prevent-apache-404
logpath   = /var/log/apache*/*access.log
findtime  = 600
maxretry  = 4

---

Then restart fail2ban and check the status

sudo service fail2ban stop
sudo service fail2ban start
sudo service fail2ban status
sudo fail2ban-client status
sudo fail2ban-client status prevent-apache-404

---

Note:The most recent Debian (bookworm) distribution made systemd-journald logging the default, so make sure rsyslog is logging.