Simple fail2ban jail for Mosquitto authentication

Fail2ban Mosquitto filter

Following is a simple fail2ban jail for Mosquitto authentication.

When an authentication attempt fails, Mosquitto writes three lines like these to his log file:
---
<TIMESTAMP>: New connection from <HOST> on port <PORT>.
<TIMESTAMP>: Sending CONNACK to <HOST>
<TIMESTAMP>: Socket error on client <unknown>, disconnecting.
---
This filter looks for these three lines to get the host and allow you to ban it.

Instructions:
1. Paste the jail.local content at the bottom of your /etc/fail2ban/jail.local file
2. Save the mosquitto-auth.conf file to the /etc/fail2ban/filter.d folder
3. Restart the fail2ban server and check if it works. Fit it according to your needs.

jail.local

[mosquitto-auth]
port = 1883,8883
enabled = true
filter = mosquitto-auth
logpath = /var/log/mosquitto/mosquitto.log

mosquitto-auth.conf

# Fail2Ban filter for unsuccesful Mosquitto authentication attempts

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Init]
maxlines = 3

[Definition]
failregex = .+ New connection from <HOST> on port \d+\.\n.+\n.+ Socket error on client <unknown>, disconnecting.
ignoreregex = 

# Author: Francesco Rega

Great. Thanks very much for taking the time to post this.

Thanks man, this works great!

Thank You so much!
I needed to update failregex to to get it properly working with mosquitto 2.0.20:

failregex = .+New\s+connection\s+from\s+<HOST>:\d+\s+on\s+port\s+\d+\.
            .+Client.+disconnected,\s+not\s+authorised\.

For me your approach didn't work and it stated "No failure id group in Client disconnected, not authorised."
Maybe someone has the same problem.
The following did the trick for me:
[Init]
maxlines = 2

[Definition]
failregex = .+New\s+connection\s+from\s+:\d+\s+on\s+port\s+\d+..+Client.+disconnected,\s+not\s+authorised.
ignoreregex =