I am trying to create a regex for my fail2ban filter to block all IPs that get a incorrect login on a web application. The way I distinguish this is that each login generates a GET request in the access log with this thing "?&err=1".
This is an example log line from the Apache access log:
XX.XX.XX.XX - - [14/Mar/2023:00:51:56 +0200] "GET /index.html?&err=1 HTTP/1.1" 200 37613
I tried this as regexes:
[[]client <HOST>[]] - - "?&err=1"
and
client <HOST> - - * "GET * err=1 *
but they don't block anything. What would be the correct regex here?
Thanks in advance for any help.
Update as of 19/04/2023:
I edited my web application to print following error line in error_log: [Wed Apr 19 00:40:10 2023] [error] [client 8.8.8.8] Selecting user ERROR!, referer: https://example.net/
Following fail2ban regexes don't work:
1. failregex = ^\[client <HOST>\] Selecting user ERROR!
2. failregex = ^\[client <HOST>\] Selecting user ERROR!, referer:
3. failregex = ^\[\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}\] \[error\] \[client <HOST>\] Selecting user ERROR!, referer: https:\/\/example\.net\/
Any ideas where I am wrong?
