thomasdarimont · May 18, 2021 08:03 · Apr 21, 2020 · Apr 25, 2019
diff --git a/README-fail2ban-keycloak.md b/README-fail2ban-keycloak.md
@@ -16,7 +16,7 @@ failregex =
 ignoreregex = 
 ```
 
-Assuming server logs are stored under `/usr/local/keycloak/standalone/log/server.log`, add jail configuration under `/etc/fail2ban/filter.d/keycloak.conf`:
+Assuming server logs are stored under `/usr/local/keycloak/standalone/log/server.log`, add jail configuration under `/etc/fail2ban/jail.d/keycloak.conf`:
 ```
 [keycloak]
 enabled = true

diff --git a/README-fail2ban-keycloak.md b/README-fail2ban-keycloak.md
@@ -0,0 +1,44 @@
+Add regular-expression filter under `/etc/fail2ban/filter.d/keycloak.conf`:
+```
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_threadName = [a-z][-_0-9a-z]*(\s[a-z][-_0-9a-z]*)*
+_userId = (null|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
+_realmName = ([a-zA-Z][-_a-zA-Z0-9]*)
+
+failregex = 
+    ^\s*WARN\s+\[org\.keycloak\.events\]\s+\(%(_threadName)s\) type=LOGIN_ERROR, realmId=%(_realmName)s, clientId=account, userId=%(_userId)s, ipAddress=<HOST>
+
+ignoreregex = 
+```
+
+Assuming server logs are stored under `/usr/local/keycloak/standalone/log/server.log`, add jail configuration under `/etc/fail2ban/filter.d/keycloak.conf`:
+```
+[keycloak]
+enabled = true
+port = https,8443
+logpath = /usr/local/keycloak/standalone/log/server.log
+maxretry = 6
+findtime = 600
+bantime = 600
+```
+
+Simulate some failed logins and test your regular expressions:
+
+    sudo fail2ban-regex -v /usr/local/keycloak/standalone/log/server.log /etc/fail2ban/filter.d/keycloak.conf
+
+Restart `fail2ban` for jail to be enabled:
+
+    sudo systemctl restart fail2ban.service
+
+During normal operation of `fail2ban`, we can check the status of a particular jail:
+
+    sudo fail2ban-client status keycloak
+
+
+
+