From 4d80fad87445f669a1517174d06e2c66c05616bd Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Tue, 16 Apr 2013 21:13:31 +0100 Subject: [PATCH] ENH+DOC: Add Guacamole filter, example log and jail --- config/filter.d/guacamole.conf | 18 ++++++++++++++++++ config/jail.conf | 10 ++++++++++ fail2ban/tests/files/logs/guacamole | 6 ++++++ 3 files changed, 34 insertions(+) create mode 100644 config/filter.d/guacamole.conf create mode 100644 fail2ban/tests/files/logs/guacamole diff --git a/config/filter.d/guacamole.conf b/config/filter.d/guacamole.conf new file mode 100644 index 00000000..272460e3 --- /dev/null +++ b/config/filter.d/guacamole.conf @@ -0,0 +1,18 @@ +# Fail2Ban configuration file for guacamole +# +# Author: Steven Hiscocks +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT +# +failregex = ^.*\nWARNING: Authentication attempt from for user "[^"]*" failed\.$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 4399d0bd..c331e914 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -357,6 +357,16 @@ action = iptables[name=mysql, port=3306, protocol=tcp] logpath = /var/log/mysqld.log maxretry = 5 +[guacamole-iptables] + +enabled = false +filter = guacamole +action = iptables-multiport[name=Guacmole, port="http,https"] + sendmail-whois[name=Guacamole, dest=root, sender=fail2ban@example.com] +logpath = /var/log/tomcat*/catalina.out +maxretry = 5 +maxlines = 2 + # Jail for more extended banning of persistent abusers # !!! WARNING !!! diff --git a/fail2ban/tests/files/logs/guacamole b/fail2ban/tests/files/logs/guacamole new file mode 100644 index 00000000..b0f82f30 --- /dev/null +++ b/fail2ban/tests/files/logs/guacamole @@ -0,0 +1,6 @@ +apr 15, 2013 8:34:08 PM org.slf4j.impl.JCLLoggerAdapter warn +WARNING: Authentication attempt from 192.0.2.0 for user "null" failed. +apr 16, 2013 8:32:13 AM org.slf4j.impl.JCLLoggerAdapter warn +WARNING: Authentication attempt from 192.0.2.0 for user "null" failed. +apr 16, 2013 8:32:28 AM org.slf4j.impl.JCLLoggerAdapter warn +WARNING: Authentication attempt from 192.0.2.0 for user "pippo" failed.