How-To Setup Fail2ban with Guacamole to Stop Brute-Force Attacks

Fail2ban

Fail2ban(F2B) is an intrusion prevention software framework that protects computer servers from brute-force attacks. F2B can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

Guacamole

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

Install/Configuration

Here are the steps to install and configure Fail2Ban with Guacamole 0.9.9 on CentOS 7.

1. Yum install epel-release
2. Yum install fail2ban
3. Cd /etc/fail2ban
4. Cp jail.conf jail.local
5. Vi jail.local
6. Adjust bantime, findtime and maxretry to your liking

Image 004

7. Set [guacamole] as follows

Image 005

8. Exit vi(:wq) and run systemctl restart fail2ban
9. This is where I started to run into problems. If you aren’t seeing failed login attempts in /var/log/catalina.out like I was you’ll have to do the following.

a. Create a new file: /etc/rsyslog.d/tomcat.conf

Image 006

b. Systemctl restart rsyslog
c. You should now see failed login attempts in catalina.out

12

10. On to the next problem…F2B is not banning failed login attempts. After doing some troubleshooting with fail2ban-regex I was able to see that the current Guacamole filter was not matching the failed login attempt format.

a. Vi /etc/fail2ban/filter.d/guacamole
Before:Image 002
After:Image 003

11. Systemctl restart fail2ban

F2B is now banning IPs after 5 attempts. 😀

Other useful commands:
cat /etc/centos-release
journalctl -u tomcat
yum install net-tools
netstat -anp
iptables -L
iptables -S
Example to delete an iptable rule: sudo iptables -D f2b-guacamole -s xxx.xxx.xxx.xxx/32 -j REJECT –reject-with icmp-port-unreachable

3 Replies to “How-To Setup Fail2ban with Guacamole to Stop Brute-Force Attacks”

  1. Thanks for posting these instructions. They helped me get fail2ban working with guacamole. However, the example you showed for step 9a seems to be missing a colon at the beginning of each line. My /etc/rsyslog.d/tomcat.conf is:
    :programname,contains,”server” /var/log/tomcat/catalina.out
    :programname,contains,”server” ~

    1. Hey Tony, I’m glad the instructions helped. I reviewed my /etc/rsyslog.d/tomcat.conf file and I do not have a colon at the beginning of each line. Does F2B work for you without the colons?

      1. I started without the colons, and it did not work. I started searching for other examples for rsyslog configurations, and found several examples that used the colon. When I tried it with the colon, it worked, and I moved on.

Leave a Reply