Posted on by

Fail2ban does not pick up new log files created every day

I run into problem with my rainloop webmail client and fail2ban on my Ubuntu server. This tutorial can work with any application creating log files every day or week.


By default rainloop creates authentication log file every day with specific name “auth-yy-mm-dd.txt” in specific location:

/path-to-rainloop/data/_data_/_default_/log/fail2ban/

My problem was that if I dont restart fail2ban service every day it does not pick up newly created files from recent date.
But even when crontab is set to restart fail2ban automatically at midnight, if there is no failed attempt from that day, the file with current date does not exist. I solved this problem with “manually” creating new files with current date and then restart fail2ban service.

First lets start with enabling rainloop to work with fail2ban. Navigate to 

/path-to-rainloop/data/_data_/_default_/configs/application.ini

Find following code:

All you need to do is just enable auth_logging

auth_logging = On

Next create fail2ban jail. Navigate to

/etc/fail2ban/jail.local

Add following code at the end of file to enable rainloop jail with 30min bantime.

[rainloop]
enabled = true
bantime = 30m
filter = rainloop
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/www/rainloop/data/_data_/_default_/logs/fail2ban/auth-*.txt
* In my case path to rainloop is /var/www/rainloop *

Now create filter with failregex inside filter.d

 /etc/fail2ban/filter.d/rainloop.conf
[Definition]
failregex = Auth failed: ip=<HOST> user=.* host=.* port=.*$
ignoreregex =

Restart fail2ban and apache service

systemctl restart fail2ban
systemctl restart apache2

Last and most important step is to configure cron job to create logfile for current date and restart fail2ban to pick up newly created file.

crontab -e
1 0 * * * sudo -u www-data touch /var/www/rainloop/data/_data_/_default_/logs/fail2ban/auth-`date +\%Y-\%m-\%d`.txt
2 0 * * * /etc/init.d/fail2ban restart

When creating file, you must specify username that has permissions to edit that file and add failed attempts into file.

NOTE: if you want to test last commands from crontab, you must create folder fail2ban manually in /var/www/rainloop/data_data_/_default_/logs/
or try to login with wrong credentials and rainloop will create it automatically.

Published by redSTORM