Fail2ban for Guacamole

Rakaris_Bakaris · January 15, 2020, 2:26pm

Hello!
Nethserserver’s fail2ban install already have /etc/fail2ban/filter.d/guacamole.conf file so I adjusted only regex.
I have enabled failto ban jail at /etc/fail2ban/jail.d/01-guacamole.conf

[guacamole]
enabled=true
port=80,443
logpath = /var/log/messages
filter = guacamole
banaction=iptables-multiport

After that I can see guacamole on Nethserver Fail2bans application Jails tab.
When I hit enter on wrong password for Apache Guacamole writes at log

[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: NOTICE [guacamole] Ban IP already banned

But IP ban does not work (user can access server / site which is blocked)

When I add the line “banaction=iptables-multiport”, the log looks like

[13350]: NOTICE [guacamole] Ban IP
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date

The block works but WEB interface shows " You have no banned IP", also “fail2ban-listban list” no entries.
I can unblock banned IP by “fail2ban-unban ” only.

How to accomplish that the banned IP’s shows on the WEB interface and IP block works also?

Thanks!

stephdl · January 15, 2020, 4:52pm

you need to use shorewall-ipset-proto6 banaction

Rakaris_Bakaris · January 15, 2020, 7:48pm

I have configured banaction=shorewall-ipset-proto6 but there is the same result when there is no banaction configured. WEB interface shows the banned IP, but user can access server.

Nethserver Fail2bans application Jails tab.
IP ban is seen on WEB interface for application (Unban tab) but IP ban does not work (user can access server / site which shows as blocked).

Any ideas?

stephdl · January 15, 2020, 8:15pm

yep it is normal you must create the set inside ipset

check

/etc/shorewall/initdone

you could create a tempate, lets say /etc/e-smith/templates/etc/shorewall/initdone/15Guacamole

with

system("/usr/sbin/ipset -quiet -exist create f2b-guacamole hash:ip timeout 1800 ");
then
signal-event nethserver-fail2ban-update

you could check the IP blocked in jails with

ipset -L
or
ipset -L f2b-guacamole

Rakaris_Bakaris · January 16, 2020, 7:43am

I have created ipset but nothing has been changed
ipset -L f2b-guacamole shows ban but server access is not blocked.
Any other file where some important is stored?

Rakaris_Bakaris · January 16, 2020, 8:26am

Just found the solution. I need to create file with drop definition rule.
/etc/e-smith/templates/etc/shorewall/blrules/30-guacamole
now IP block is working.
Thanks for help!

stephdl · January 16, 2020, 8:42am

Yep i missed to create the drop rules… Sorry

mrmarkuz · April 7, 2020, 12:49am

I’d like to secure the guacamole module with fail2ban.
I did not find code in other modules. What’s the best way to do it? Is it better to have the code in fail2ban package or in guacamole package?

Recap:

As @Rakaris_Bakaris stated, the provided regex is wrong. This is a working regex for /etc/fail2ban/filter.d/guacamole.conf:

failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.

Created /etc/e-smith/templates-custom/etc/shorewall/blrules/30guacamole with following content:

{
    use NethServer::Fail2Ban;
    return "" if ($fail2ban{'status'} ne 'enabled');
    my $banLocal = $fail2ban{'BanLocalNetwork'} || 'disabled';
    $OUT .= "DROP\tnet:+f2b-guacamole\tall\n";
    if ($banLocal eq 'enabled') {
        $OUT .= "DROP\tloc:+f2b-guacamole\tall\n";
    }
}

I can confirm that guacamole IP ban works.

stephdl · April 7, 2020, 7:54am

a PR to nethserver-fail2ban will create a checkbox inside the UI, but it is a core package now, the easier is to provide all the templates inside the nethserver-guacamole enabled by default but protect the jail by a pseudo code

if (-f /path/to/log && jailStatus === enabled ) {
 jail definition
}

if you fail you will stop fail2ban in hundred/thousand of servers…I love life with spices