v1.5.1 Native Installation., Ubuntu 22 LTS, fail2ban, nginx
fail2ban not working with guacamole, the web login page stays the same and no
ip is listed fail2ban.
I have the following entries configured, could not find any useful info over
the web to resolve this issue.
For some reason tomcat show UTC time, even with following configured in
/usr/share/tomcat9/bin/catalina.sh, I don't know if this would cause the issue.
TOMCAT_TIMEZONE="-Duser.timezone=Asia/Kolkata"
CATALINA_OPTS="$CATALINA_OPTS $TOMCAT_TIMEZONE"
******************************************
/etc/fail2ban/jail.local
[guacamole]
enabled = true
port = http,https
logpath = /var/log/tomcat*/catalina.out
bantime = 10m
findtime = 30m
maxretry = 3
******************************************
/etc/fail2ban/filter.d/guacamole.conf
# Fail2Ban configuration file for guacamole
#
# Author: Steven Hiscocks
#
[Definition]
logging = catalina
failregex = <L_<logging>/failregex>
maxlines = <L_<logging>/maxlines>
datepattern = <L_<logging>/datepattern>
[L_catalina]
#failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*"
failed\.$
#added following to match catalina.out
failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication
attempt from <HOST> for user "[^"]*" failed\.$
maxlines = 2
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
^WARNING:()**
{^LN-BEG}
[L_webapp]
#failregex = ^ \[\S+\] WARN \S+ - Authentication attempt from <HOST> for user
"<F-USER>[^"]+</F-USER>" failed.
#added following to match catalina.out
failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication
attempt from <HOST> for user "[^"]*" failed\.$
maxlines = 1
datepattern = ^%%H:%%M:%%S.%%f
# DEV Notes:
#
# failregex is based on the default pattern given in Guacamole documentation :
# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
******************************************
$ tail -f /var/log/tomcat9/catalina.out
[2023-06-03 07:59:45] [info] 13:29:45.213 [http-nio-8080-exec-9] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "root" failed.
[2023-06-03 07:59:49] [info] 13:29:49.261 [http-nio-8080-exec-10] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "root" failed.
[2023-06-03 07:59:56] [info] 13:29:56.770 [http-nio-8080-exec-2] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "root" failed.
[2023-06-03 08:00:00] [info] 13:30:00.785 [http-nio-8080-exec-3] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "root" failed.
[2023-06-03 08:00:16] [info] 13:30:16.640 [http-nio-8080-exec-9] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "admin" failed.
[2023-06-03 08:00:20] [info] 13:30:20.106 [http-nio-8080-exec-1] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "admin" failed.
[2023-06-03 08:00:24] [info] 13:30:24.969 [http-nio-8080-exec-10] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
\test-public-ip for user "admin" failed.
******************************************
$ sudo fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: guacamole, nginx-botsearch, php-url-fopen, sshd
******************************************
$ sudo fail2ban-client status guacamole
Status for the jail: guacamole
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/tomcat9/catalina.out
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
$
******************************************
Thanks,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
