From d86a7aecca9a780b5e8fbebcb74a9f72d9273185 Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Thu, 31 Jul 2025 17:38:28 +0200
Subject: [PATCH] amend to #3979: removed mistaken double pipes in group
 matches

---
 config/filter.d/vaultwarden.conf      | 2 +-
 fail2ban/tests/files/logs/vaultwarden | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/vaultwarden.conf b/config/filter.d/vaultwarden.conf
index 63d78937..38bac51f 100644
--- a/config/filter.d/vaultwarden.conf
+++ b/config/filter.d/vaultwarden.conf
@@ -4,5 +4,5 @@
 
 [Definition]
 
-failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: <ADDR>(?:\. Username: <F-USER>\S+</F-USER>)?
+failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(?:identity|admin|core::two_factor::authenticator)?\]\[ERROR\] (?:Invalid admin token|Invalid TOTP code|Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: <ADDR>(?:\. Username: <F-USER>\S+</F-USER>)?
 ignoreregex =
diff --git a/fail2ban/tests/files/logs/vaultwarden b/fail2ban/tests/files/logs/vaultwarden
index f797eeaf..ededb820 100644
--- a/fail2ban/tests/files/logs/vaultwarden
+++ b/fail2ban/tests/files/logs/vaultwarden
@@ -21,3 +21,6 @@
 
 # failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
 [2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d
+
+# failJSON: { "time": "2024-08-30T20:11:30", "match": true , "host": "192.0.2.7" }
+[2024-08-31 02:11:30.123+0800][vaultwarden::api::admin][ERROR] Invalid admin token! IP: 192.0.2.7. Username: alice