Fail2Ban not working on http-get-dos filter


So everything seems to be working when I test but fail2ban is failing to ban or even see any ip address in the access log.

Here is my setup:

in jail.local I have:

enabled = true
port = http,https
filter = http-get-dos 
logpath = /var/log/httpd/access_log
maxretry = 10
findtime = 120
bantime = -1
action = iptables[name=HTTP, port=http, protocol=tcp]

in http-get-dos.conf i have:

 failregex = ^<HOST> -.*\"(GET|POST).*
 ignoreregex =

running fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/http-get-dos.conf I get:

 Running tests

Use   failregex filter file : http-get-dos, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/access_log
Use         encoding : UTF-8


Failregex: 3586 total
|-  #) [# of hits] regular expression
|   1) [3586] ^<HOST> -.*\"(GET|POST).*

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3601] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?

Lines: 3601 lines, 0 ignored, 3586 matched, 15 missed
[processed in 0.38 sec]

|- Missed line(s):
| - - [13/Jan/2019:11:01:23 +0000] "\x03" 400 226 "-" "-"
| - - [13/Jan/2019:12:34:51 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
| - - [14/Jan/2019:17:56:08 +0000] "-" 408 - "-" "-"
| - - [14/Jan/2019:22:40:15 +0000] "-" 408 - "-" "-"
| - - [14/Jan/2019:22:40:35 +0000] "-" 408 - "-" "-"
| - - [15/Jan/2019:00:44:14 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
| - - [15/Jan/2019:05:12:34 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
| - - [15/Jan/2019:23:48:20 +0000] "Gh0st\xad" 400 226 "-" "-"
| - - [16/Jan/2019:05:57:50 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
| - - [16/Jan/2019:19:06:23 +0000] "HEAD /redirect.php HTTP/1.0" 404 - "-" " scanner"
| - - [16/Jan/2019:20:42:28 +0000] "CONNECT HTTP/1.1" 301 229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
| - - [17/Jan/2019:08:46:30 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
| - - [17/Jan/2019:22:36:03 +0000] "-" 408 - "-" "-"
|  ::1 - - [17/Jan/2019:23:08:46 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) PHP/7.2.13 (internal dummy connection)"
| - - [17/Jan/2019:23:11:51 +0000] "-" 408 - "-" "-"

tail fail2ban.log -f , and I've also restarted fail2ban so you can see what's going on:

 2019-01-18 00:23:40,655 fail2ban.filter         [15412]: INFO    Set findtime = 120
2019-01-18 00:23:40,667 fail2ban.jail           [15412]: INFO    Jail 'sshd' started
2019-01-18 00:23:40,668 fail2ban.filtersystemd  [15412]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2019-01-18 00:23:40,673 fail2ban.jail           [15412]: INFO    Jail 'http-get-dos' started
2019-01-18 00:23:40,773 fail2ban.actions        [15412]: NOTICE  [sshd] Ban
2019-01-18 00:25:22,970 fail2ban.filter         [15412]: INFO    [sshd] Found
2019-01-18 00:27:35,921 fail2ban.filter         [15412]: INFO    [sshd] Found
2019-01-18 00:27:49,936 fail2ban.filter         [15412]: INFO    [sshd] Found
2019-01-18 00:33:00,711 fail2ban.filter         [15412]: INFO    [sshd] Found
2019-01-18 00:33:23,489 fail2ban.filter         [15412]: INFO    [sshd] Found
2019-01-18 00:35:25,864 fail2ban.server         [15412]: INFO    Stopping all jails
2019-01-18 00:35:26,700 fail2ban.actions        [15412]: NOTICE  [sshd] Unban
2019-01-18 00:35:26,925 fail2ban.jail           [15412]: INFO    Jail 'sshd' stopped
2019-01-18 00:35:27,915 fail2ban.jail           [15412]: INFO    Jail 'http-get-dos' stopped
2019-01-18 00:35:27,919 fail2ban.server         [15412]: INFO    Exiting Fail2ban
2019-01-18 00:35:28,106 fail2ban.server         [15592]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-01-18 00:35:28,107 fail2ban.database       [15592]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-01-18 00:35:28,110 fail2ban.jail           [15592]: INFO    Creating new jail 'sshd'
2019-01-18 00:35:28,129 fail2ban.jail           [15592]: INFO    Jail 'sshd' uses systemd {}
2019-01-18 00:35:28,144 fail2ban.jail           [15592]: INFO    Initiated 'systemd' backend
2019-01-18 00:35:28,145 fail2ban.filter         [15592]: INFO    Set maxRetry = 5
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set jail log file encoding to UTF-8
2019-01-18 00:35:28,146 fail2ban.actions        [15592]: INFO    Set banTime = -1
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set findtime = 600
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set maxlines = 10
2019-01-18 00:35:28,203 fail2ban.filtersystemd  [15592]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-01-18 00:35:28,210 fail2ban.jail           [15592]: INFO    Creating new jail 'http-get-dos'
2019-01-18 00:35:28,210 fail2ban.jail           [15592]: INFO    Jail 'http-get-dos' uses systemd {}
2019-01-18 00:35:28,211 fail2ban.jail           [15592]: INFO    Initiated 'systemd' backend
2019-01-18 00:35:28,212 fail2ban.filter         [15592]: INFO    Set maxRetry = 10
2019-01-18 00:35:28,212 fail2ban.filter         [15592]: INFO    Set jail log file encoding to UTF-8
2019-01-18 00:35:28,213 fail2ban.actions        [15592]: INFO    Set banTime = -1
2019-01-18 00:35:28,213 fail2ban.filter         [15592]: INFO    Set findtime = 120
2019-01-18 00:35:28,222 fail2ban.filter         [15592]: INFO    [sshd] Found
2019-01-18 00:35:28,224 fail2ban.filter         [15592]: INFO    [sshd] Found
2019-01-18 00:35:28,229 fail2ban.filter         [15592]: INFO    [sshd] Found
2019-01-18 00:35:28,232 fail2ban.filter         [15592]: INFO    [sshd] Found
2019-01-18 00:35:28,238 fail2ban.jail           [15592]: INFO    Jail 'sshd' started
2019-01-18 00:35:28,239 fail2ban.filtersystemd  [15592]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2019-01-18 00:35:28,242 fail2ban.jail           [15592]: INFO    Jail 'http-get-dos' started
2019-01-18 00:35:28,355 fail2ban.actions        [15592]: NOTICE  [sshd] Ban

fail2ban-client status and fail2ban-client status http-get-dos

|- Number of jail:  2
`- Jail list:   http-get-dos, sshd

|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches:  
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:   

So from what I can see everything seems to be working, for sure sshd filter is working but this http-get-dos filter is not working at all, but I have no problems when I run ail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/http-get-dos.conf

I'm using CentOS 7 on digital ocean and Fail2Ban v0.9.7 and I've also changed the backend to systemd in jail.local:
backend = systemd

Does anyone has any idea why this is not working ?
Upgraded to Fail2ban v0.11.0.dev3 still the same problem.

Best Answer

I've also changed the backend to systemd in jail.local: backend = systemd

Well, this may be the reason - if you configured systemd backend, fail2ban will do monitoring the systemd-journal (instead of log-file).

Just try to reconfigure it for jails of services that are logging into log-files:

backend = auto

BTW, persistent ban for 10 requests in 2 minutes looks to hard to me, especially it seems to catch each request (I don't see the part covering the status-code like [45]0\d in your regex).