O regex precisa ter um agrupamento (parênteses) para o endereço IP, então fail2ban sabe qual IP proibir :
In every line of failregex, the part that matches the host name or IP address must be wrapped in a
(?P<host> ... )
sandwich. This is a Python-specific regex extension that assigns the contents of the match to the name<host>
. The<host>
tag is how you tell fail2ban which host was connecting, so it has to be present in every line of failregex. If it's not, fail2ban will issue an error message about "No 'host' group".
No seu caso, o seu regex deve ser
^(?P<host>1.2.3.4) - .*$