failregex = .*\[<HOST>\]:[0-9]+ .*(?:Unrouteable address|rejected)
Or, if You want to replace CPanel CPHULK by fail2ban do that:
/etc/fail2ban/jail.conf
[cpanel-iptables] enabled = true filter = cpanel logpath = /usr/local/cpanel/logs/login_log action = iptables-multiport[name=cpanel, port="21,80,443,2082,2083,2095,2096", protocol=tcp] # sendmail-whois[name=cpanel, dest=root, sender=fail2ban@example.com] findtime = 86400 bantime = 600 maxretry = 5
/etc/fail2ban/filter.d/cpanel.conf
# Fail2Ban configuration file # # Author: Widmo [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT failregex = ^<HOST>\s\-\s.*\s\[.*\].*\s(FAILED LOGIN)\s.*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Save, restart fail2ban:
service fail2ban restart
Done 😉