Fail2ban for Guacamole

Nethserserver’s fail2ban install already have /etc/fail2ban/filter.d/guacamole.conf file so I adjusted only regex.
I have enabled failto ban jail at /etc/fail2ban/jail.d/01-guacamole.conf

logpath = /var/log/messages
filter = guacamole

After that I can see guacamole on Nethserver Fail2bans application Jails tab.
When I hit enter on wrong password for Apache Guacamole writes at log

[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: NOTICE [guacamole] Ban IP already banned

But IP ban does not work (user can access server / site which is blocked)

When I add the line “banaction=iptables-multiport”, the log looks like

[13350]: NOTICE [guacamole] Ban IP
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date
[13350]: INFO [guacamole] Found IP date

The block works but WEB interface shows " You have no banned IP", also “fail2ban-listban list” no entries.
I can unblock banned IP by "fail2ban-unban " only.

How to accomplish that the banned IP’s shows on the WEB interface and IP block works also?


1 Like

you need to use shorewall-ipset-proto6 banaction

I have configured banaction=shorewall-ipset-proto6 but there is the same result when there is no banaction configured. WEB interface shows the banned IP, but user can access server.

Nethserver Fail2bans application Jails tab.
IP ban is seen on WEB interface for application (Unban tab) but IP ban does not work (user can access server / site which shows as blocked).

Any ideas?

yep it is normal you must create the set inside ipset



you could create a tempate, lets say /etc/e-smith/templates/etc/shorewall/initdone/15Guacamole


system("/usr/sbin/ipset -quiet -exist create f2b-guacamole hash:ip timeout 1800 ");
signal-event nethserver-fail2ban-update

you could check the IP blocked in jails with

ipset -L
ipset -L f2b-guacamole

1 Like

I have created ipset but nothing has been changed
ipset -L f2b-guacamole shows ban but server access is not blocked.
Any other file where some important is stored?

Just found the solution. I need to create file with drop definition rule.
now IP block is working.
Thanks for help!


Yep i missed to create the drop rules… Sorry

I’d like to secure the guacamole module with fail2ban.
I did not find code in other modules. What’s the best way to do it? Is it better to have the code in fail2ban package or in guacamole package?


As @Rakaris_Bakaris stated, the provided regex is wrong. This is a working regex for /etc/fail2ban/filter.d/guacamole.conf:

failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.

Created /etc/e-smith/templates-custom/etc/shorewall/blrules/30guacamole with following content:

    use NethServer::Fail2Ban;
    return "" if ($fail2ban{'status'} ne 'enabled');
    my $banLocal = $fail2ban{'BanLocalNetwork'} || 'disabled';
    $OUT .= "DROP\tnet:+f2b-guacamole\tall\n";
    if ($banLocal eq 'enabled') {
        $OUT .= "DROP\tloc:+f2b-guacamole\tall\n";

I can confirm that guacamole IP ban works.


a PR to nethserver-fail2ban will create a checkbox inside the UI, but it is a core package now, the easier is to provide all the templates inside the nethserver-guacamole enabled by default but protect the jail by a pseudo code

if (-f /path/to/log && jailStatus === enabled ) {
 jail definition

if you fail you will stop fail2ban in hundred/thousand of servers…I love life with spices