-
-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Do you know how to implement FAIL2Ban with Guacamole Docker #9
Comments
This is on my to-do list as well. There's a blog post here about it but it's from 2016. I would also recommend you set up Duo for 2FA on Guacamole, it takes about 30 minutes or so to get working. |
@crazy-max could you add these into the repo when you have a moment? @Doubleho7 see my solution below, make sure to update BANACTION if you don't use cloudflare. oznu/docker-guacamole containermake sure to mount the volume config/guacamole/logback.xml
fail2ban containermake sure to mount the volume jail.d/guacamole.conf
filter.d/guacamole-auth.conf
|
Hi After back and forth. Finally got it working, your guacamole-auth.conf through me out. Here is my config bit different to yours. My only concerns are that you can attempt to login multiple times, only when the page is refreshed do you get the failed login from cloudflare, is there no way around this? How do you go about banning IP's if you are not using CloudFlare and perhaps using F5 as a load balancer / Reverse Proxy? jail.d/guacamole.conf
filter.d/guacamole-auth.conf
action.d/cloudflare.confdocker-compose.yaml
config/guacamole/logback.xml
Some Tips You can use the following commands to check if they are being ban or not. Enter fail2ban interactive mode:
Check the status of the jail:
unban with:
|
Glad you were able to get it working! I'm not sure why the ban takes effect only on page refresh. Maybe it has to do with cloudflare and caching. I also ban IPs on my pfsense modem using a docker container I wrote. Basically it syncs bans from Cloudflare and inserts them into my pfsense firewall rules. I have it update the list every hour. Check it out here: For even more security only accept IPs from Cloudflare IP/CIDR on port 80/443. |
@onedr0p Of course! |
You don't have to create a volume for each file :
Just copy them inside
Check this section in the README. PS: I've edited your comment above that was unreadable. I advise you to read this guide to use Markdown properly for your next comments ;) |
nice write up @crazy-max 👍 |
@crazy-max @onedr0p |
Easiest way I've found to spin up guac is to use this container. If you use the official guac docker image it requires a bit more work. Using @oznu docker image it should be really straight forward. |
@onedr0p Thanks, I will look into this. However, the container seam quite outdated, 6 months, and doesn't look it is maintained. Isn't this a problem? |
There hasn't been a release for Guacamole in a long time either. Check their GitHub. |
Indeed, thanks for pointing this out! |
Struggling to get Fail2Ban to work with Guacamole docker this would be a great addition especially since there is no mechanism protecting from brute force. I use Traefik and Cloudflare.
The text was updated successfully, but these errors were encountered: