Add regular-expression filter under /etc/fail2ban/filter.d/keycloak.conf:
[INCLUDES]
before = common.conf
[Definition]
_threadName = [a-z][-_0-9a-z]*(\s[a-z][-_0-9a-z]*)*
_userId = (null|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
_realmName = ([a-zA-Z][-_a-zA-Z0-9]*)
failregex =
^\s*WARN\s+\[org\.keycloak\.events\]\s+\(%(_threadName)s\) type=LOGIN_ERROR, realmId=%(_realmName)s, clientId=account, userId=%(_userId)s, ipAddress=<HOST>
ignoreregex =
Assuming server logs are stored under /usr/local/keycloak/standalone/log/server.log, add jail configuration under /etc/fail2ban/jail.d/keycloak.conf:
[keycloak]
enabled = true
port = https,8443
logpath = /usr/local/keycloak/standalone/log/server.log
maxretry = 6
findtime = 600
bantime = 600
Simulate some failed logins and test your regular expressions:
sudo fail2ban-regex -v /usr/local/keycloak/standalone/log/server.log /etc/fail2ban/filter.d/keycloak.conf
Restart fail2ban for jail to be enabled:
sudo systemctl restart fail2ban.service
During normal operation of fail2ban, we can check the status of a particular jail:
sudo fail2ban-client status keycloak