Thank you Giacomo!
Updated WebTop 5 from nethserver-testing with the last rpm.
Now, in /var/lib/tomcats/webtop/logs, both IPs (WAN and LAN) are recorded.
Foolish questions: because I don’t see in “/var/lib/tomcats/webtop/logs” the errors of the bad logins, to create jail and filter for WT 5 in F2B, can be read the IPs from one log file and the errors from other log file ("/var/log/webtop/webtop.log")?
If yes, the synchro between the IP and the error can be made by time and date even if the format isn’t the same?.
10.0.0.1 - - [27/Feb/2017:20:18:26 +0200] “POST /webtop/login HTTP/1.1” 200 5492 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”
2017-02-27 20:18:26 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]