That works for me ezh@guac:~# cat /etc/fail2ban/filter.d/guacamole.conf [Definition]
logging = catalina failregex = <L_<logging>/failregex> maxlines = <L_<logging>/maxlines> datepattern = <L_<logging>/datepattern> [L_catalina] failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from <HOST> for user "[^"]*" failed\.$ maxlines = 3 datepattern = ^%%H:%%M:%%S.%%f сб, 3 июн. 2023 г. в 11:49, Eby Mani <[email protected]>: > v1.5.1 Native Installation., Ubuntu 22 LTS, fail2ban, nginx > > > fail2ban not working with guacamole, the web login page stays the same and no > ip is listed fail2ban. > > > I have the following entries configured, could not find any useful info over > the web to resolve this issue. > > For some reason tomcat show UTC time, even with following configured in > /usr/share/tomcat9/bin/catalina.sh, I > don't know if this would cause the issue. > > TOMCAT_TIMEZONE="-Duser.timezone=Asia/Kolkata" > CATALINA_OPTS="$CATALINA_OPTS $TOMCAT_TIMEZONE" > > > ****************************************** > /etc/fail2ban/jail.local > > [guacamole] > enabled = true > port = http,https > logpath = /var/log/tomcat*/catalina.out > bantime = 10m > findtime = 30m > maxretry = 3 > > ****************************************** > /etc/fail2ban/filter.d/guacamole.conf > > # Fail2Ban configuration file for guacamole > # > # Author: Steven Hiscocks > # > > [Definition] > logging = catalina > failregex = <L_<logging>/failregex> > maxlines = <L_<logging>/maxlines> > datepattern = <L_<logging>/datepattern> > > [L_catalina] > > #failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user > "[^"]*" failed\.$ > > #added following to match catalina.out > > failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication > attempt from <HOST> for user "[^"]*" failed\.$ > maxlines = 2 > > datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p > ^WARNING:()** > {^LN-BEG} > > [L_webapp] > > #failregex = ^ \[\S+\] WARN \S+ - Authentication attempt from <HOST> for > user "<F-USER>[^"]+</F-USER>" failed. > > #added following to match catalina.out > > failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication > attempt from <HOST> for user "[^"]*" failed\.$ > maxlines = 1 > datepattern = ^%%H:%%M:%%S.%%f > > # DEV Notes: > # > > # failregex is based on the default pattern given in Guacamole documentation : > # > https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging > > ****************************************** > > $ tail -f /var/log/tomcat9/catalina.out > > [2023-06-03 07:59:45] [info] 13:29:45.213 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "root" failed. > > [2023-06-03 07:59:49] [info] 13:29:49.261 [http-nio-8080-exec-10] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "root" failed. > > [2023-06-03 07:59:56] [info] 13:29:56.770 [http-nio-8080-exec-2] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "root" failed. > > [2023-06-03 08:00:00] [info] 13:30:00.785 [http-nio-8080-exec-3] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "root" failed. > > [2023-06-03 08:00:16] [info] 13:30:16.640 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "admin" failed. > > [2023-06-03 08:00:20] [info] 13:30:20.106 [http-nio-8080-exec-1] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "admin" failed. > > [2023-06-03 08:00:24] [info] 13:30:24.969 [http-nio-8080-exec-10] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > \test-public-ip for user "admin" failed. > > ****************************************** > $ sudo fail2ban-client status > Status > |- Number of jail: 4 > `- Jail list: guacamole, nginx-botsearch, php-url-fopen, sshd > > ****************************************** > $ sudo fail2ban-client status guacamole > Status for the jail: guacamole > |- Filter > | |- Currently failed: 0 > | |- Total failed: 0 > | `- File list: /var/log/tomcat9/catalina.out > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > $ > ****************************************** > > Thanks, > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Евгений Жуков +79534155676 skype: xrt_nn
