How to use fail2ban with Guacamole hosted on Nethserver

Hello @support_team,

I’ve installed Guacamole on my Nethserver. Was thinking of adding Guacamole to my Nextcloud as an external app. This would provide an extra layer of protection for login if someone tries to get into our network from outside. They would have to login first to Nextcloud and then Guacamole second.

But another option is to allow direct outside access to Guacamole Server from WAN and use fail2ban as my added protection. How should I implement this? I see reference to fail2ban directly in Guacamole or fail2ban installed as a module on Nethsever. Which one should I use?

Thank you.

Guacamole just adds a jail to fail2ban from software center.
See wiki.


Hello @mrmarkuz,

So to implement fail2ban on Guacamole I first install the fail2ban module on Nethserver. Then I issue the following to enable fail2ban jail for Guacamole:

config setprop guacd jailStatus enabled
signal-event nethserver-fail2ban-save

I’m looking at the Nethserver fail2ban settings and they seem very easy. Just set the amount of failed login attempts and duration and if you want to ban on the WAN and LAN. Is it really that simple to implement fail2ban on Nethserver?

Also, I see in fail2ban Nethserver Dashboard section Guacamole listed. But in the Jails section I don’t see Guacamole. Is the only way to turn off Guacamole in fail2ban is to issue the command - config setprop guacd jailStatus enabled?

Thank you.

Uhm… yes it is…


Wow! it really is that easy. This is awesome! Thank you

Without fail2ban I wouldn’t sleep too well having my mail hosted on a NethServer VPS. I have around 20k banned ip’s in the fail2ban logs.

1 Like

Yes, it’s the only way to set the jailStatus to disabled to disable the jail.

1 Like

Valuable input team. I’m going to sleep better knowing that fail2ban is protecting me now too. It’s so easy to setup and use it should be enabled by default. :slight_smile:

Thanks Team for the feedback.

1 Like

normally it is like this we do @mrmarkuz

the logic is enable the jail if the log exists and if the prop is true (default)

if ( -f '/path/to/log' && $jailGuacamol_status eq 'true') {
    $OUT .= q( expand the jail);

In the createlink of nethserver-guacamol you can expand the jail.local template and restart fail2ban