fail2ban-regex LOG REGEX -d DATEPATTERN -v
Only works on xrdp version v0.9.18 or newer: https://github.com/neutrinolabs/xrdp/tree/v0.9.18.
Detects '[20230628-05:33:09] [INFO ] AUTHFAIL: user=testuser ip=192.168.0.2 time=1687930389' line from xrdp sesman log.
Regex reference: https://stackoverflow.com/questions/75915624/xrdp-filter-setting-for-fail2ban
Verified on code-server v4.16.1 behind a cloudflare proxy.
Detects 'Sep 14 01:13:29 NAME_OF_YOUR_MACHINE code-server[PID]: Failed login attempt {"xForwardedFor":"IP_ADDRESS_TO_BLOCK, 172.71.151.75","remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36","timestamp":1694654009}' line from syslog.
Regex reference: coder/code-server#1177
For web services behind a cloudflare proxy, send banned ips to cloudflare.
You can check banned ip entries on cloudflare in Dashboard -> Security -> WAF -> Tools.
Reference: https://niksec.com/using-fail2ban-with-cloudflare/