Hi everybody, I'm using guacamole.conf to ban user that fails login,
this is my guacamole.conf:
#
# Author: Steven Hiscocks
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user
"[^"]*" fa
iled\.$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = user "null"
and this is a tail of my log file:
INFO: User "pippo" successfully authenticated from 217.200.201.249.
Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
INFO: Login was successful.
Feb 09, 2015 7:38:33 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 217.200.201.249 for user "null"
failed.
Feb 09, 2015 7:38:41 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
failed.
Feb 09, 2015 7:38:42 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
failed.
Feb 09, 2015 7:38:43 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
failed.
Feb 09, 2015 8:08:31 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
Feb 09, 2015 8:08:40 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
Feb 09, 2015 8:08:44 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
Feb 09, 2015 8:08:49 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
Feb 09, 2015 8:08:53 PM org.slf4j.impl.JCLLoggerAdapter warn
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
guacamole generate null login by itself on every page load so I want
fail2ban to ignore them.
This is fail2ban-regex output:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/guacamole.conf
Use maxlines : 2
Use log file : /var/log/tomcat6/catalina.2015-02-09.log
Use encoding : UTF-8
Results
=======
Failregex: 129 total
|- #) [# of hits] regular expression
| 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user
"[^"]*" failed\.$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [134] MON Day, Year 12hour:Minute:Second AMPM
`-
Lines: 268 lines, 0 ignored, 258 matched, 10 missed [processed in 0.13 sec]
|- Missed line(s):
| Feb 09, 2015 6:15:04 PM org.slf4j.impl.JCLLoggerAdapter info
| INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml
| Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info
| INFO: User "cristian" successfully authenticated from 95.226.42.86.
| Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info
| INFO: Login was successful.
| Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
| INFO: User "cristian" successfully authenticated from 217.200.201.249.
| Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
| INFO: Login was successful.
`-
as you can see user "null" lines are not ignored.
I'm using fail2ban 0.9.1 on ubuntu server.
Thanks in advance for any help.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
