Unable to configure fail2ban to protect samba shares

Question

With this configuration service (fail2ban) starts, logfile register wrong attempts, but still not count attempts in fail2ban-client. I suspect that there is a problem with regex, but this is the only regex with which the fail2ban service starts. I try several from different article, including one from this site and this other one but the service fails to start. I apologise if I do not structure question in an appropriate way.

fail2ban-client status samba 
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/samba/auth_json_audit.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

And cat /var/log/samba/auth_json_audit.log

{"timestamp": "2023-09-29T04:25:46.305161-0400", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.2.238:445", "remoteAddress": "ipv4:192.168.2.196:21997", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": ".", "clientAccount": "wronguser", "workstation": "HOME", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "wronguser", "mappedDomain": ".", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 2776}}

And cat /etc/fail2ban/jail.d/samba.conf

[samba]
enabled = true
port = 88,135,139,389,445,464,636,3328,3329
filter = samba
logpath = /var/log/samba/auth_json_audit.log
maxretry = 5
findtime = 600
bantime = 600

This regex I found in one forum with which service start, but not register attempts. Here's /etc/fail2ban/filter.d/samba.conf:

[Definition]
#failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:<PORT>"
failregex = NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:<PORT>" - not working too

Here's my /etc/samba/smb.conf

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = rocky-8
security = user
map to guest = bad user
dns proxy = no
ntlm auth = true
encrypt passwords = yes
guest account = nobody
socket options = TCP_NODELAY IPTOS_LOWDELAY
#log file = /var/log/samba/log.%m
max log size = 1000
#hosts allow = 192.168.1. 127.
#hosts deny = ALL
log level = auth_json_audit:3@/var/log/samba/auth_json_audit.log

Answer 1

Neither of your REs will work because they look for a sequence including <HOST>:<PORT>. If you re-read the documentation, or some of the existing filter files themselves, you'll find an explanation for <HOST> that says,

The tag <HOST> can be used for standard IP/hostname matching and is only an alias for (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

However, there is no similar definition for <PORT> so it tries to match the literal six character string.

None of your logfile lines contain the string <PORT> and so nothing matches. You can test this yourself, as recommended when creating or modifying rules, with the fail2ban-regex command. If it shows no output then your REs are not matching.

Try these definitions instead, as shown in the referenced article:

[Definition]
failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:"
failregex = NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:"

And the test commands could be:

fail2ban-regex --print-all-matched /var/log/samba/auth_json_audit.log 'NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:\d+"'
fail2ban-regex --print-all-matched /var/log/samba/auth_json_audit.log 'NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:\d+"'

You may want to re-read the documentation for fail2ban filters at https://fail2ban.readthedocs.io/en/latest/filters.html