On Wed, May 16, 2018 at 1:54 PM, Erik Berndt <[email protected]> wrote: > We use a Tomcat filter and it works just fine for Guacamole. > > Filter: > > # Fail2Ban tomcat filter > # > [INCLUDES] > # > [Definition] > failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
I use this exact filter regex in production, as well. Works great. As Guacamole will log the IP addresses specified via the "X-Forwarded-For" header, it's critical that this header be able to be trusted if fail2ban is to be used in this way. If a proxy is in use, then the proxy should be configured to always set this header such that the first IP in the header is always the true IP address of the client. If a proxy is *not* in use, then the regex should be altered to pay attention to only the *last* IP address (the only address which does not come from this header), as any other address may be spoofed. Doing otherwise could allow users to override their own IP address from the perspective of fail2ban, intentionally forcing any other IP address to be blocked (which would effectively be denial of service). - Mike
