Re: fail2ban and nginx

Wed, 15 Nov 2023 06:23:35 -0800 

On 10/25/23 16:05, Piviul wrote:
Hi all, I have installed guacamole on port 8080 and nginx to have https access. All seems to work correctly. 


Now I would like to configure fail2ban to check failing logs. Adding 
to fail2ban the rule



failregex = ^.*WARN  o\.a\.g\.r\.auth\.AuthenticationService - 
Authentication attempt from <HOST> for user "[^"]*" failed\.$



permit to fail2ban to find failing logs but only if they are from port 
8080. If they use the nginx https port doesn't



In effect in the guacamole logs in case of 8080 port failing access 
the log is:



13:32:55.059 [http-nio-8080-exec-3] WARN 
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
192.168.64.90 for user "user" failed.


But if I use the nginx https port I can find


13:33:23.598 [http-nio-8080-exec-5] WARN 
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
[192.168.64.90, 127.0.0.1] for user "user" failed.



Probably fail2ban can check the host when the logged ip is 
[192.168.64.90, 127.0.0.1]



Someone can help me to write the failregex rule to have fail2ban 
correctly get the ip to ban on failing logs even from nginx https port?



There is another problem, guacamole store 127.0.0.1 in the History 
Remote host; that's no good but he have to do: the connection request 
went from nginx that's on the same local server... so the right approach 
is not rewriting the failregex rule but instruct guacamole to get the ip 
address from the https request nginx receives and send to guacamole. In 
other way you should first instruct nginx to add the originating ip to 
the header, adding


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


to the section "location{}" in the nginx server section of the 
sites-enabled, then go to the tomcat server.xml and add the valve 
section under the engine section similar to



  <Listener className="org.apache.catalina.core.AprLifecycleListener" 
SSLEngine="on" />

  [...]
    <Engine name="Catalina" defaultHost="localhost">
    [..]
         <Valve className="org.apache.catalina.valves.RemoteIpValve"
              requestAttributesEnabled="true"
              internalProxies="127\.0\.0\.1" />

Then restart nginx, tomcat and all should works now.

Piviul



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org























					Reply via email to