From f0119b5c754f46be7814dca04d73a7710a720689 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Thu, 2 Dec 2021 17:09:47 +1100
Subject: [PATCH] docs: update fail2ban example (#2661)

Updates the fail2ban examples to align with new messages.

Fixes #2649.
---
 docs/security/measures.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/security/measures.md b/docs/security/measures.md
index 1866b1887..2555f8655 100644
--- a/docs/security/measures.md
+++ b/docs/security/measures.md
@@ -246,13 +246,13 @@ typically located at `/etc/fail2ban/filter.d`.
 # only contains a single IP address (the one from the end-user), and not the proxy chain
 # (it is misleading: usually, this is the purpose of this header).
 
-# the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure
+# the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+# second line) as a failure.
 # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
 
 [Definition]
-failregex = ^.*Error while checking password for.*remote_ip=<HOST> stack.*
-            ^.*Credentials are wrong for user .*remote_ip=<HOST> stack.*
-            ^.*Wrong passcode during TOTP validation.*remote_ip=<HOST> stack.*
+failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+            ^.*Unsuccessful (TOTP|DUO|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
 
 ignoreregex = ^.*level=debug.*
               ^.*level=info.*