I have fail2ban working with postfix-sasl errors, but I just cant seem to make it work for anything else. If I use: fail2ban-regex /var/log/httpd/access_log "^<HOST> .*POST .*xmlrpc\.php.*" It returns Lines: 61008 lines, 0 ignored, 3333 matched, 57675 missed [processed in 9.68 sec] So clearly my string is correct, and they are being found? But I'm missing some part by which iptables bans the ips. jail.local [sshd] enabled = true action = iptables[name=sshd, port=ssh, protocol=tcp] [pure-ftpd] enabled = true action = iptables[name=FTP, port=ftp, protocol=tcp] maxretry = 3 [dovecot] enabled = true action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] maxretry = 3 [postfix-sasl] enabled = true action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp] maxretry = 3 [apache-xmlrpc] enabled = true filter = apache-xmlrpc action = iptables-allports logpath = /var/log/httpd/access_log maxretry = 1 apache-xmlrpc.conf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex = Sure would love to understand why I cant make this thing work. I'm unable to make the dovecot section work either, but I assume one answer will answer my questions