You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Piviul <pi...@riminilug.it> on 2020/03/20 15:26:09 UTC
fail2ban plugin for guacamole
Hi all, I have installed fail2ban and enabled guacamole plugin. In
effect now in fail2ban.log every time fail2ban i start or restart I can
find:
> 2020-03-20 14:10:55,276 fail2ban.jail [185]: INFO Jail 'sshd' started
> 2020-03-20 14:10:55,277 fail2ban.jail [185]: INFO Jail 'guacamole' started
If I try to logon with wrong password but in fail2ban.log I can find
nothing...
There is something more to configure?
Piviul
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Chris Lee ha scritto il 26/03/20 alle 10:33:
> Hi Piviul,
>
> Are your jail.local config like this?
>
> [guacamole]
> enabled = true
> port = http,https
> logpath = /catalina.*.log
your settings says that fail2ban have to check authentication failures
in /catalina.*.log but do you have this file in your system? My tomcat
(I use debian buster) is configured to logs in
/var/log/tomcat9/catalina.out so in logpath I have something like
/var/log/tomcat*/catalina.out
> Seem the Warning message are logged on /var/log/message instead of /var/log/tomcat/catalina.*.log
you have only to discover where authentication failure messages are
logged and put in logpath the path to this file and check if the
failregex pattern match the log you found.
Piviul
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Guilherme Carvalho ha scritto il 31/03/20 alle 15:34:
> Piviul, yes i did, but didn´t work, i think need to change the regex or
> something else.
Have you tried to change failregex as I've proposed? Any way please send
the row you find in syslog that shows an auth failure and please send
the failregex value of guacamole jail.
Piviul
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Guilherme Carvalho <gc...@gmail.com>.
Piviul, yes i did, but didn´t work, i think need to change the regex or
something else.
Em ter., 31 de mar. de 2020 às 05:01, Piviul <pi...@riminilug.it> escreveu:
> Guilherme Carvalho ha scritto il 30/03/20 alle 19:44:
> > There is not catalina.out in Tomcat9 on Ubuntu 18.04, the logs is set on
> > /var/log/syslog
> Have you tried to change the file /etc/fail2ban/jail.conf setting the
> logpath param to /var/log/syslog?
>
> Piviul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Guilherme Carvalho ha scritto il 30/03/20 alle 19:44:
> There is not catalina.out in Tomcat9 on Ubuntu 18.04, the logs is set on
> /var/log/syslog
Have you tried to change the file /etc/fail2ban/jail.conf setting the
logpath param to /var/log/syslog?
Piviul
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Guilherme Carvalho <gc...@gmail.com>.
There is not catalina.out in Tomcat9 on Ubuntu 18.04, the logs is set on
/var/log/syslog
i´m looking for this too.
Em seg., 30 de mar. de 2020 às 13:58, Piviul <pi...@riminilug.it> escreveu:
> Il 30/03/20 17:58, Giorgio ha scritto:
> > I would be grateful if someone can help in fail2ban on ubuntu 18.04 +
> > Tomcat 9 + apache Guacamole 1.1.0
> I don't think ubuntu 18.04 has a very different configuration from my
> debian buster...
>
> First of all you have to check if you have enabled guacamole filter
> settings in a jail. In my debian buster I have only configured the file
> /etc/fail2ban/jail.conf.d/defaults-debian.conf adding a jail like:
> > [guacamole]
> > enabled=true
>
> Check if in /etc/fail2ban/jail.conf you have the jail guacamole like
> this one
> > [guacamole]
> >
> > port = http,https
> > logpath = /var/log/tomcat*/catalina.out
>
> Well now fail2ban looks auth failed attempt in file
> /var/log/tomcat*/catalina.out. Did you have such a file?
>
> Now you have to change the guacamole filter that you find in
> /etc/fail2ban/filter.d/guacamole.conf changing the parameter failregex in:
> > failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService -
> > Authentication attempt from <HOST> for user "[^"]*" failed\.$
>
> now you have to restart fail2ban:
> # systemctl restart fail2ban
>
> that's all
>
> Piviul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Il 30/03/20 17:58, Giorgio ha scritto:
> I would be grateful if someone can help in fail2ban on ubuntu 18.04 +
> Tomcat 9 + apache Guacamole 1.1.0
I don't think ubuntu 18.04 has a very different configuration from my
debian buster...
First of all you have to check if you have enabled guacamole filter
settings in a jail. In my debian buster I have only configured the file
/etc/fail2ban/jail.conf.d/defaults-debian.conf adding a jail like:
> [guacamole]
> enabled=true
Check if in /etc/fail2ban/jail.conf you have the jail guacamole like
this one
> [guacamole]
>
> port = http,https
> logpath = /var/log/tomcat*/catalina.out
Well now fail2ban looks auth failed attempt in file
/var/log/tomcat*/catalina.out. Did you have such a file?
Now you have to change the guacamole filter that you find in
/etc/fail2ban/filter.d/guacamole.conf changing the parameter failregex in:
> failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService -
> Authentication attempt from <HOST> for user "[^"]*" failed\.$
now you have to restart fail2ban:
# systemctl restart fail2ban
that's all
Piviul
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Giorgio <gi...@quantiss.com>.
I would be grateful if someone can help in fail2ban on ubuntu 18.04 + Tomcat 9 + apache Guacamole 1.1.0
From: Guilherme Carvalho <gc...@gmail.com>
To: <us...@guacamole.apache.org>
Sent: 3/26/2020 12:04 PM
Subject: Re: fail2ban plugin for guacamole
i´m also trying to configure fail2ban, but it is not reading the logs, i´m using Ubuntu 18.04 with Tomcat9, the logs of Tomcat is on /var/log/syslog, there is no catalina.out on /var/log/tomcat9/ anybody make it works??
What have changed on the config of fail2ban?
Thanks
Em qui., 26 de mar. de 2020 às 06:34, Chris Lee <ch...@centurycity.com.hk> escreveu:
Hi Piviul,
Are your jail.local config like this?
[guacamole]
enabled = true
port = http,https
logpath = /var/log/tomcat/catalina.*.log
Seem the Warning message are logged on /var/log/message instead of /var/log/tomcat/catalina.*.log
I have using Fedora 31.
Regards,
Chris
-----Original Message-----
From: Piviul <pi...@riminilug.it>
Sent: Monday, March 23, 2020 5:16 PM
To: user@guacamole.apache.org
Subject: Re: fail2ban plugin for guacamole
Piviul ha scritto il 21/03/20 alle 08:13:
> Il 20/03/20 18:51, Mike Jumper ha scritto:
>> [...]
>> Any idea what pattern/regex the fail2ban plugin is using to match
>> login failures? It may be that the plugin is out-of-date and no
>> longer matches the messages logged by the webapp.
> yes, in effect the log pattern doesn't match. Do you know if guacamole
> distribute the fail2ban filter for the 1.1.0 or I have to modify the
> filter myself?
I have changed the fileregex parameter from
> failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user
> "[^"]*" failed\.$
to
> failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService -
> Authentication attempt from <HOST> for user "[^"]*" failed\.$
in the filter configuration file[¹] and all seems to work as expected.
Best regards
Piviul
[¹] /etc/fail2ban/filter.d/guacamole.conf
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Guilherme Carvalho <gc...@gmail.com>.
i´m also trying to configure fail2ban, but it is not reading the logs, i´m
using Ubuntu 18.04 with Tomcat9, the logs of Tomcat is on /var/log/syslog,
there is no catalina.out on /var/log/tomcat9/ anybody make it works??
What have changed on the config of fail2ban?
Thanks
Em qui., 26 de mar. de 2020 às 06:34, Chris Lee <ch...@centurycity.com.hk>
escreveu:
> Hi Piviul,
>
> Are your jail.local config like this?
>
> [guacamole]
> enabled = true
> port = http,https
> logpath = /var/log/tomcat/catalina.*.log
>
>
> Seem the Warning message are logged on /var/log/message instead of
> /var/log/tomcat/catalina.*.log
>
> I have using Fedora 31.
>
> Regards,
> Chris
>
>
> -----Original Message-----
> From: Piviul <pi...@riminilug.it>
> Sent: Monday, March 23, 2020 5:16 PM
> To: user@guacamole.apache.org
> Subject: Re: fail2ban plugin for guacamole
>
> Piviul ha scritto il 21/03/20 alle 08:13:
> > Il 20/03/20 18:51, Mike Jumper ha scritto:
> >> [...]
> >> Any idea what pattern/regex the fail2ban plugin is using to match
> >> login failures? It may be that the plugin is out-of-date and no
> >> longer matches the messages logged by the webapp.
> > yes, in effect the log pattern doesn't match. Do you know if guacamole
> > distribute the fail2ban filter for the 1.1.0 or I have to modify the
> > filter myself?
> I have changed the fileregex parameter from
> > failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user
> > "[^"]*" failed\.$
>
> to
> > failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService -
> > Authentication attempt from <HOST> for user "[^"]*" failed\.$
>
> in the filter configuration file[¹] and all seems to work as expected.
>
> Best regards
>
> Piviul
>
> [¹] /etc/fail2ban/filter.d/guacamole.conf
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
>
> This message and its attachment (if any) are strictly confidential and
> sent to the designated recipient(s) only. If you are not the intended
> recipient, please notify the sender by e-mail and delete this message and
> its attachment (if any) from your computer system immediately . Century
> City International Holdings Limited, Paliburg Holdings Limited, Regal
> Hotels International Holdings Limited, its respective related subsidiaries,
> associated companies and affiliates do not guarantee this message and its
> attachment (if any) are free of computer virus and would not accept any
> liability whatsoever arising from Internet transmission.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
RE: fail2ban plugin for guacamole
Posted by Chris Lee <ch...@centurycity.com.hk>.
Hi Piviul,
Are your jail.local config like this?
[guacamole]
enabled = true
port = http,https
logpath = /var/log/tomcat/catalina.*.log
Seem the Warning message are logged on /var/log/message instead of /var/log/tomcat/catalina.*.log
I have using Fedora 31.
Regards,
Chris
-----Original Message-----
From: Piviul <pi...@riminilug.it>
Sent: Monday, March 23, 2020 5:16 PM
To: user@guacamole.apache.org
Subject: Re: fail2ban plugin for guacamole
Piviul ha scritto il 21/03/20 alle 08:13:
> Il 20/03/20 18:51, Mike Jumper ha scritto:
>> [...]
>> Any idea what pattern/regex the fail2ban plugin is using to match
>> login failures? It may be that the plugin is out-of-date and no
>> longer matches the messages logged by the webapp.
> yes, in effect the log pattern doesn't match. Do you know if guacamole
> distribute the fail2ban filter for the 1.1.0 or I have to modify the
> filter myself?
I have changed the fileregex parameter from
> failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user
> "[^"]*" failed\.$
to
> failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService -
> Authentication attempt from <HOST> for user "[^"]*" failed\.$
in the filter configuration file[¹] and all seems to work as expected.
Best regards
Piviul
[¹] /etc/fail2ban/filter.d/guacamole.conf
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Piviul ha scritto il 21/03/20 alle 08:13:
> Il 20/03/20 18:51, Mike Jumper ha scritto:
>> [...]
>> Any idea what pattern/regex the fail2ban plugin is using to match
>> login failures? It may be that the plugin is out-of-date and no longer
>> matches the messages logged by the webapp.
> yes, in effect the log pattern doesn't match. Do you know if guacamole
> distribute the fail2ban filter for the 1.1.0 or I have to modify the
> filter myself?
I have changed the fileregex parameter from
> failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
to
> failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from <HOST> for user "[^"]*" failed\.$
in the filter configuration file[¹] and all seems to work as expected.
Best regards
Piviul
[¹] /etc/fail2ban/filter.d/guacamole.conf
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: fail2ban plugin for guacamole
Posted by Piviul <pi...@riminilug.it>.
Il 20/03/20 18:51, Mike Jumper ha scritto:
> [...]
> Any idea what pattern/regex the fail2ban plugin is using to match
> login failures? It may be that the plugin is out-of-date and no longer
> matches the messages logged by the webapp.
yes, in effect the log pattern doesn't match. Do you know if guacamole
distribute the fail2ban filter for the 1.1.0 or I have to modify the
filter myself?
Piviul
Re: fail2ban plugin for guacamole
Posted by Mike Jumper <mj...@apache.org>.
On Fri, Mar 20, 2020 at 8:26 AM Piviul <pi...@riminilug.it> wrote:
> Hi all, I have installed fail2ban and enabled guacamole plugin. In
> effect now in fail2ban.log every time fail2ban i start or restart I can
> find:
> > 2020-03-20 14:10:55,276 fail2ban.jail [185]: INFO Jail
> 'sshd' started
> > 2020-03-20 14:10:55,277 fail2ban.jail [185]: INFO Jail
> 'guacamole' started
>
> If I try to logon with wrong password but in fail2ban.log I can find
> nothing...
>
> There is something more to configure?
>
Any idea what pattern/regex the fail2ban plugin is using to match login
failures? It may be that the plugin is out-of-date and no longer matches
the messages logged by the webapp.
- Mike