How-To Setup Fail2ban with Guacamole to Stop Brute-Force Attacks


Fail2ban(F2B) is an intrusion prevention software framework that protects computer servers from brute-force attacks. F2B can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.


Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.


Here are the steps to install and configure Fail2Ban with Guacamole 0.9.9 on CentOS 7.

1. Yum install epel-release
2. Yum install fail2ban
3. Cd /etc/fail2ban
4. Cp jail.conf jail.local
5. Vi jail.local
6. Adjust bantime, findtime and maxretry to your liking

Image 004

7. Set [guacamole] as follows

Image 005

8. Exit vi(:wq) and run systemctl restart fail2ban
9. This is where I started to run into problems. If you aren’t seeing failed login attempts in /var/log/catalina.out like I was you’ll have to do the following.

a. Create a new file: /etc/rsyslog.d/tomcat.conf

Image 006

b. Systemctl restart rsyslog
c. You should now see failed login attempts in catalina.out


10. On to the next problem…F2B is not banning failed login attempts. After doing some troubleshooting with fail2ban-regex I was able to see that the current Guacamole filter was not matching the failed login attempt format.

a. Vi /etc/fail2ban/filter.d/guacamole
Before:Image 002
After:Image 003

11. Systemctl restart fail2ban

F2B is now banning IPs after 5 attempts. 😀

Other useful commands:
cat /etc/centos-release
journalctl -u tomcat
yum install net-tools
netstat -anp
iptables -L
iptables -S
Example to delete an iptable rule: sudo iptables -D f2b-guacamole -s -j REJECT –reject-with icmp-port-unreachable

Leave a Reply