From 86789f677a5942ff8f6fbb3ee3fa305880970d80 Mon Sep 17 00:00:00 2001
From: MacRimi <ricoextincion@gmail.com>
Date: Thu, 12 Feb 2026 19:23:55 +0100
Subject: [PATCH] Update security_manager.py

---
 AppImage/scripts/security_manager.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/AppImage/scripts/security_manager.py b/AppImage/scripts/security_manager.py
index f9e24d65..45446cc0 100644
--- a/AppImage/scripts/security_manager.py
+++ b/AppImage/scripts/security_manager.py
@@ -793,12 +793,11 @@ def apply_missing_jails():
     if "proxmox" not in current_jails:
         try:
             # Create filter with journalmatch for systemd backend.
-            # With backend=systemd, fail2ban receives only the MESSAGE field
-            # from the journal (without the "pvedaemon[PID]:" prefix).
-            # We use _SYSTEMD_UNIT instead of _COMM because Proxmox truncates
-            # _COMM to "pvedaemon worke" which won't match _COMM=pvedaemon.
+            # With backend=systemd, fail2ban receives only the MESSAGE field.
+            # We use _SYSTEMD_UNIT instead of _COMM (Proxmox truncates _COMM).
+            # Proxmox logs IPs as ::ffff:x.x.x.x (IPv4-mapped IPv6).
             filter_content = """[Definition]
-failregex = ^(pvedaemon\\[\\d+\\]:\\s+)?authentication (failure|error); rhost=<HOST> user=.* msg=.*$
+failregex = ^(pvedaemon\\[\\d+\\]:\\s+)?authentication (failure|error); rhost=(::ffff:)?<HOST> user=.* msg=.*$
 ignoreregex =
 journalmatch = _SYSTEMD_UNIT=pvedaemon.service
 """