Wanted to see if this bug was mine alone but Fail2Ban and Guacamole aren’t seeming to play well.
Expected behavior: Spamming invalid login attempts at https://guac.example.com => have Fail2Ban detect invalid logins and add IP to Guacamole Jail => Access to https://guac.example.com restricted via Fail2Ban jail.
Actual Behavior: Spamming invalid login attempts at https://guac.example.com => have Fail2Ban detect invalid logins and add IP to Guacamole Jail => Access to https://guac.example.comstill is accessible while the rest of the NS services are NOT accessible (Nextcloud,web-admin, … ) even though the IP has been added to the blocked list.
EDIT - User accounts are local to Guacamole only as I also use the 2fa module not included in the original package by @mrmarkuz that does work for me without issue.
Anything I can do to help? I’ve added the fail2ban.log info below. The guacamole jail picks up the ban and applies it but 2 things odd happen. First, in that first picture above in the Fail2Ban dashboard non of the Guacamole ip bans are accounted. Second the jail catches the behavior and places my ipsin the banned list & it blocks off access to Cockpit interface, Nextcloud and so forth. It does not however stop the banned IPs from reaching/responding to the Guacamole install. I’m not sure if this is because Guacamole uses Tomcat and isn’t accounted for or … who knows, I’ve got to learn more about Fail2Ban.
2020-05-17 11:13:27,875 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:27
2020-05-17 11:13:29,078 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:28
2020-05-17 11:13:30,282 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:30
2020-05-17 11:13:32,286 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:32
2020-05-17 11:13:32,579 fail2ban.actions [7718]: NOTICE [guacamole] 10.25.0.2 already banned
2020-05-17 11:13:34,290 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:33
2020-05-17 11:13:37,496 fail2ban.filter [7718]: INFO [guacamole] Found 10.25.0.2 - 2020-05-17 11:13:37
2020-05-17 11:15:12,217 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:11
2020-05-17 11:15:14,221 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:13
2020-05-17 11:15:16,226 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:15
2020-05-17 11:15:17,429 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:17
2020-05-17 11:15:17,911 fail2ban.actions [7718]: NOTICE [guacamole] Ban 192.168.0.99
2020-05-17 11:15:18,024 fail2ban.filter [7718]: INFO [recidive] Found 192.168.0.99 - 2020-05-17 11:15:17
2020-05-17 11:15:20,035 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:19
2020-05-17 11:15:21,238 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:21
2020-05-17 11:15:22,441 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:22
2020-05-17 11:15:23,653 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:23
2020-05-17 11:15:23,931 fail2ban.actions [7718]: NOTICE [guacamole] 192.168.0.99 already banned
2020-05-17 11:15:24,857 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:24
2020-05-17 11:15:26,861 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:26
2020-05-17 11:15:26,862 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:26
2020-05-17 11:15:27,064 fail2ban.filter [7718]: INFO [guacamole] Found 192.168.0.99 - 2020-05-17 11:15:26
2020-05-17 11:15:27,135 fail2ban.actions [7718]: NOTICE [guacamole] 192.168.0.99 already banned
2020-05-17 11:36:35,837 fail2ban.actions [7718]: NOTICE [guacamole] Unban 192.168.0.99
2020-05-17 11:36:38,177 fail2ban.actions [7718]: NOTICE [guacamole] Unban 10.25.0.2
This wasn’t meant to be accusatory just trying to list all my variables that differ from the original install. I remember failing to get this to work with the LDAP integration so I opted to do the local accounts/2fa until I could figure it out. I will try to re-produce on a new Neth install.
Self pwn on my end. Issue resides in that I use PFsense with Haproxy to then get to the NS guacamole install. NS Fail2ban sees my IP address and works like it is supposed to if I were connecting to it directly but it does not block connections that are sent through PfSense’s Haproxy. I am going to confirm again this is reproducible behavior with Nextcloud also being proxied in the same way on system.