Fail2Ban Owncloud Issues - Regex works | Not Banning

Hey folks, newbie here.
I’ve set up as RPi4 (Dietpi) with a 4TB HDD for Owncloud.

Owncloud is working fine and surprisingly fast.
In noticed in the Access.log and via tcpdump that i was pinged quiet often, so i thougt it would be a good idea to set up fail2ban for ssh, owncloud and apache2.
Soo, SSH (Dropbear) gets banned perfectly. But i’ve some problems with owncloud.

Rpi4 + 4TB HDD USB3
Dietpi (Repo)
Owncloud (Repo)
Fail2Ban v0.10.2
Dietpi_userdata on 4TB Harddrive.


  1. Fail2Ban dosn’t block failed Owncloud login attempts. But Fail2Ban-regex works.
  2. I had to change the Permission of the /var/log/owncloud.log to 644. Otherwise Owncloud wouldnt be able to write to it. Seem like the the change of the data to HDD messed up something.
    All other Logs in /var/log/ are also empty, exept for the Apache logs in the separate apache dir.

Logs & Outputs


root@DietPi:# sudo fail2ban-client status
|- Number of jail:      3
`- Jail list:   dropbear, owncloud, sshd

#Fail2Ban-Status owncloud

root@DietPi:/# fail2ban-client status owncloud
Status for the jail: owncloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

#Permissions check

root@DietPi:/# ls -al /var/log/fail2ban.log
-rwxr-xr-x 1 root adm 0 Feb 12 01:18 /var/log/fail2ban.log

root@DietPi:/# ls -al /var/log/owncloud.log
-rw-rw-r-- 1 root www-data 2981 Feb 13 00:01 /var/log/owncloud.log


root@DietPi:/# sudo fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf

Running tests

Use   failregex filter file : owncloud, basedir: /etc/fail2ban
Use         log file : /var/log/owncloud.log
Use         encoding : UTF-8


Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] {.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?

Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.08 sec]

#Fail2Ban Owncloud.conf

  failregex={.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
  ignoreregex =


{"reqId":"P32uBm2oTRrBPsjyvcnF","level":2,"time":"2021-02-13T00:19:56+01:00","remoteAddr":"","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '')"}
{"reqId":"M1trdrNn5OH6sdkJdkaq","level":2,"time":"2021-02-13T00:20:02+01:00","remoteAddr":"","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '')"}


before = paths-debian.conf

ignorself = true
ignoreip = ::1
ignorecommand =
bantime  = 10m
findtime  = 10m
maxretry = 5
backend = systemd
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]


# SSH servers

#enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
#port    = ssh

enabled = true
port     = ssh
filter = dropbear
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-allports

enabled = true
filter = owncloud
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-multiport[name=owncloud, port="http,https"]
logpath = /var/log/owncloud.log


Thanks for any help to find what i’m missing! :smiley:



many thanks for your message. You could have a look to following. There we got Fail2ban working with ownlcoud

Usually log file is located at /mnt/dietpi_userdata/owncloud_data/owncloud.log

Thanks for your reply.

Will check out the link.

It was on my install too. But every Doc i found listed it normally in var/log…
il change it back, then. thx

Well that’s correct for standard Raspberry OS installation, but on DietPi the log file location is changed.