Installing Fail2ban on Octoprint without basic http authentication

I don’t have http auth set for my Octoprint, and all guides I found required it for Fail2ban to work. I started looking around the Octoprint log files and found that the recent addition of Force Login plugin creates logs of failed logins to .octoprint/logs/octoprint.log file.

Installing and Setting up Fail2ban on Octoprint


Install fail2ban.

sudo apt-get install fail2ban

Create new jail file for octoprint in the jail.d folder.

sudo nano /etc/fail2ban/jail.d/octoprint.conf

Below is the jail.d config I have used for my setup. Bantime is 86400 seconds, meaning 24 hours. I’m only banning from http and https because I haven’t forwarded any other ports to my raspberry pi.

[octoprint]
enabled = true
filter = octoprint
logpath = /home/pi/.octoprint/logs/octoprint.log
port = http,https
maxretry = 3
findtime = 10800
bantime = 86400
banaction = iptables-allports

Create new filter file for octoprint in the filter.d folder.

sudo nano /etc/fail2ban/filter.d/octoprint.conf

Below is the regex I have used for my setup.

# Fail2Ban filter for Octoprint login failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = app
failregex = - tornado.access - WARNING - 401 POST /api/login \(<HOST>\) .+$
ignoreregex =

The regex was made based on failed login in octoprint.log file, which looks like

2020-01-13 16:39:25,526 - tornado.access - WARNING - 401 POST /api/login (::ffff:XX.XXX.XX.XX) 17.58ms