From 2099bbe58faa15c91611f3553d86fdf9bdd6bd2e Mon Sep 17 00:00:00 2001
From: MacRimi <ricoextincion@gmail.com>
Date: Thu, 12 Feb 2026 18:58:39 +0100
Subject: [PATCH] Update security_manager.py

---
 AppImage/scripts/security_manager.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/AppImage/scripts/security_manager.py b/AppImage/scripts/security_manager.py
index cf9f3e62..ed5bf644 100644
--- a/AppImage/scripts/security_manager.py
+++ b/AppImage/scripts/security_manager.py
@@ -792,10 +792,13 @@ def apply_missing_jails():
     # so pvedaemon logs go to the systemd journal, not /var/log/daemon.log.
     if "proxmox" not in current_jails:
         try:
-            # Create filter with journalmatch for systemd backend
+            # Create filter with journalmatch for systemd backend.
+            # With backend=systemd, fail2ban receives only the MESSAGE field
+            # from the journal (without the "pvedaemon[PID]:" prefix).
+            # The journalmatch already filters to pvedaemon entries.
+            # Optional prefix for compatibility with file-based backends.
             filter_content = """[Definition]
-failregex = pvedaemon\\[.*authentication (failure|error); rhost=<HOST> user=.* msg=.*
-            pvedaemon\\[.*\\]: authentication failure; rhost=<HOST>
+failregex = ^(pvedaemon\\[\\d+\\]:\\s+)?authentication (failure|error); rhost=<HOST> user=.* msg=.*$
 ignoreregex =
 journalmatch = _COMM=pvedaemon
 """