anyone still using fail2ban

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

anyone still using fail2ban

mbarber
to cover guacamole?
using it to protect a webmin instance but the default gucamole filter
doesn't work and all the documentation i can find regarding syntax for
filters is out of date.
Any hints please?
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

Евгений Н. Жуков
This works fine

[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" faile                                                                                                     d\.
[Init]
maxlines = 2


2018-05-16 23:25 GMT+03:00 mdbarber <[hidden email]>:
to cover guacamole?
using it to protect a webmin instance but the default gucamole filter doesn't work and all the documentation i can find regarding syntax for filters is out of date.
Any hints please?
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus




--
Евгений Жуков
+79534155676  skype: xrt_nn
Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

Erik Berndt
In reply to this post by mbarber
We use a Tomcat filter and it works just fine for Guacamole.

Filter:

# Fail2Ban tomcat filter
#
[INCLUDES]
#
[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
#
[Init]
#
journalmatch = _SYSTEMD_UNIT=tomcat.service
maxlines = 5

Jail.local:

[tomcat]
port = http,https,8080
logpath = %(tomcat_access_log)s
enabled = yes
bantime = 14400
maxretry = 5



Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, May 16, 2018 at 4:25 PM, mdbarber <[hidden email]> wrote:
to cover guacamole?
using it to protect a webmin instance but the default gucamole filter doesn't work and all the documentation i can find regarding syntax for filters is out of date.
Any hints please?
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.  If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004.  You will be reimbursed for reasonable costs incurred in notifying us.

Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

mbarber
In reply to this post by Евгений Н. Жуков
thanks mate but i came across that one somewhere, unfortunately it's not working for me on ubuntu server 16.04, tomcat 9.07, guacamole 9.14 java 10..
just wish the syntax itself wasn't so obscure.


Mark Barber
[hidden email]



-----Original Message-----
From: Евгений Н. Жуков <[hidden email]>
To: user <[hidden email]>; mdbuk <[hidden email]>
Sent: Wed, 16 May 2018 21:31
Subject: Re: anyone still using fail2ban

This works fine

[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" faile                                                                                                     d\.
[Init]
maxlines = 2


2018-05-16 23:25 GMT+03:00 mdbarber <[hidden email]>:
to cover guacamole?
using it to protect a webmin instance but the default gucamole filter doesn't work and all the documentation i can find regarding syntax for filters is out of date.
Any hints please?
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus




--
Евгений Жуков
+79534155676  skype: xrt_nn
Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

mbarber
In reply to this post by Erik Berndt
many thanks but no joy there either, sure i am missing something simple but it has been a long day :)


Running tests
=============

Use�� failregex filter file : tomcat, basedir: /etc/fail2ban
Use�������� maxlines : 5
Use�������� log file : /opt/tomcat/logs/catalina.out
Use�������� encoding : UTF-8

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|� [2] ^24hour:Minute:Second
`-

Lines: 2 lines, 0 ignored, 0 matched, 2 missed [processed in 0.00 sec]
|- Missed line(s):
|� 22:16:24.088 [https-jsse-nio-8443-exec-6] WARN� o.a.g.r.auth.AuthenticationService - Authentication attempt from 192.168.1.3 for user "bold" failed.
|� 22:18:46.077 [https-jsse-nio-8443-exec-6] INFO� o.a.g.r.auth.AuthenticationService - User "dave" successfully authenticated from 192.168.1.3.



Erik Berndt wrote:
We use a Tomcat filter and it works just fine for Guacamole.

Filter:

# Fail2Ban tomcat filter
#
[INCLUDES]
#
[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
#
[Init]
#
journalmatch = _SYSTEMD_UNIT=tomcat.service
maxlines = 5

Jail.local:

[tomcat]
port = http,https,8080
logpath = %(tomcat_access_log)s
enabled = yes
bantime = 14400
maxretry = 5



Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, May 16, 2018 at 4:25 PM, mdbarber <[hidden email]> wrote:
to cover guacamole?
using it to protect a webmin instance but the default gucamole filter doesn't work and all the documentation i can find regarding syntax for filters is out of date.
Any hints please?
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.  If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004.  You will be reimbursed for reasonable costs incurred in notifying us.



Virus-free. www.avast.com
Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

mbarber
Whilst not a guacamole issue it does reflect on it's usability so just
in case anyone else comes across this possibly after an "upgrade"
I have traced back the regular expression seen in a few places on the
web and discovered that a change has occurred either in the writing or
reading of the log and it's consistency with the filter used in
fail2ban, also anyone using the ubuntu install will need to adjust the
log location in jail.local

I have only "got this working" not traced back any undesirable effects
to the modification of the filter but here it is now working with my install
( ubuntu server 16.04, tomcat 9.07, guacamole 9.14 oracle-java 10server)

failregex = ^.*\bAuthentication attempt from <HOST>(?:,.*)? for user
".*" failed\.

I am not sure if the carat at the start is still necessary but according
to the python documentation on re's it is at least "best practice"
regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply | Threaded
Open this post in threaded view
|

Re: anyone still using fail2ban

Mike Jumper-2
In reply to this post by Erik Berndt
On Wed, May 16, 2018 at 1:54 PM, Erik Berndt
<[hidden email]> wrote:

> We use a Tomcat filter and it works just fine for Guacamole.
>
> Filter:
>
> # Fail2Ban tomcat filter
> #
> [INCLUDES]
> #
> [Definition]
> failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.

I use this exact filter regex in production, as well. Works great.

As Guacamole will log the IP addresses specified via the
"X-Forwarded-For" header, it's critical that this header be able to be
trusted if fail2ban is to be used in this way. If a proxy is in use,
then the proxy should be configured to always set this header such
that the first IP in the header is always the true IP address of the
client. If a proxy is *not* in use, then the regex should be altered
to pay attention to only the *last* IP address (the only address which
does not come from this header), as any other address may be spoofed.

Doing otherwise could allow users to override their own IP address
from the perspective of fail2ban, intentionally forcing any other IP
address to be blocked (which would effectively be denial of service).

- Mike