Fail2ban(F2B) is an intrusion prevention software framework that protects computer servers from brute-force attacks. F2B can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
Here are the steps to install and configure Fail2Ban with Guacamole 0.9.9 on CentOS 7.
1. Yum install epel-release
2. Yum install fail2ban
3. Cd /etc/fail2ban
4. Cp jail.conf jail.local
5. Vi jail.local
6. Adjust bantime, findtime and maxretry to your liking
7. Set [guacamole] as follows
8. Exit vi(:wq) and run systemctl restart fail2ban
9. This is where I started to run into problems. If you aren’t seeing failed login attempts in /var/log/catalina.out like I was you’ll have to do the following.
a. Create a new file: /etc/rsyslog.d/tomcat.conf
b. Systemctl restart rsyslog
c. You should now see failed login attempts in catalina.out
10. On to the next problem…F2B is not banning failed login attempts. After doing some troubleshooting with fail2ban-regex I was able to see that the current Guacamole filter was not matching the failed login attempt format.
a. Vi /etc/fail2ban/filter.d/guacamole
11. Systemctl restart fail2ban
F2B is now banning IPs after 5 attempts. 😀
Other useful commands:
journalctl -u tomcat
yum install net-tools
Example to delete an iptable rule: sudo iptables -D f2b-guacamole -s xxx.xxx.xxx.xxx/32 -j REJECT –reject-with icmp-port-unreachable