Feature: Do you know how to implement FAIL2Ban with Guacamole Docker

[Doubleho7]

Struggling to get Fail2Ban to work with Guacamole docker this would be a great addition especially since there is no mechanism protecting from brute force. I use Traefik and Cloudflare.

[onedr0p]

This is on my to-do list as well. There's a blog post here about it but it's from 2016. I would also recommend you set up Duo for 2FA on Guacamole, it takes about 30 minutes or so to get working.

[onedr0p]

@crazy-max could you add these into the repo when you have a moment?

@Doubleho7 see my solution below, make sure to update BANACTION if you don't use cloudflare.

oznu/docker-guacamole container

make sure to mount the volume /var/log/guacamole:/usr/local/tomcat/logs in your container

config/guacamole/logback.xml

<configuration>
        <!-- Appender for debugging -->
        <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Appender for debugging in a file-->
        <appender name="GUAC-DEBUG_FILE" class="ch.qos.logback.core.FileAppender">
                <file>/usr/local/tomcat/logs/guacd.log</file>
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Log at DEBUG level -->
        <root level="debug">
                <appender-ref ref="GUAC-DEBUG"/>
                <appender-ref ref="GUAC-DEBUG_FILE"/>
        </root>
</configuration>

fail2ban container

make sure to mount the volume /var/log/guacamole/guacd.log:/var/log/guacamole/guacd.log:ro in your container

jail.d/guacamole.conf

[DEFAULT]
banaction = cloudflare

[guacamole-auth]
enabled = true
logpath = /var/log/guacamole/guacd.log
port = http,https

bantime = -1
maxretry = 5

filter.d/guacamole-auth.conf

[Definition]
failregex = \bAuthentication attempt from [<HOST>(?:,.*)?] for user ".*" failed\.
ignoreregex =

[Doubleho7]

Hi After back and forth.

Finally got it working, your guacamole-auth.conf through me out.

Here is my config bit different to yours.

My only concerns are that you can attempt to login multiple times, only when the page is refreshed do you get the failed login from cloudflare, is there no way around this?

How do you go about banning IP's if you are not using CloudFlare and perhaps using F5 as a load balancer / Reverse Proxy?

jail.d/guacamole.conf

[DEFAULT]
banaction = cloudflare

[guacamole-auth]
enabled = true
logpath = /var/log/guacamole/guacd.log
port = http,https

bantime = -1
maxretry = 5

filter.d/guacamole-auth.conf

[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
ignoreregex =

action.d/cloudflare.conf

https://fossies.org/linux/misc/fail2ban-0.10.4.tar.gz/fail2ban-0.10.4/config/action.d/cloudflare.conf?m=t

docker-compose.yaml

version: "3.2"

services:
  fail2ban: 
    container_name: fail2ban
    environment: 
      - PUID=1000
      - PGID=1000
      - TZ=Africa/Harare
    image: "crazymax/fail2ban:latest"
    network_mode: host
    privileged: true
    restart: always
    volumes: 
      - "/var/log/guacamole/guacd.log:/var/log/guacamole/guacd.log"
      - "/home/user/fail2ban/jail.d/guacamole.conf:/etc/fail2ban/jail.d/guacamole.conf"
      - "/home/user/fail2ban/filter.d/guacamole-auth.conf:/etc/fail2ban/filter.d/guacamole-auth.conf"
      - "/home/user/fail2ban/action.d/cloudflare.conf:/etc/fail2ban/action.d/cloudflare.conf"
  guacamole: 
    container_name: Guacamole
    environment: 
      - PUID=1000
      - PGID=1000
      - TZ=Africa/Harare
      - EXTENSIONS=auth-duo
    image: oznu/guacamole
    labels: 
      - traefik.backend=Guacamole
      - traefik.docker.network=proxy
      - "traefik.frontend.rule=Host:sub.domain.com"
      - traefik.enable=true
      - traefik.port=8080
      - traefik.default.protocol=http
    network_mode: bridge
    ports: 
      - "8074:8080"
    restart: unless-stopped
    volumes: 
      - "/var/log/guacamole/:/usr/local/tomcat/logs"
      - "/home/user/guacamole/config:/config"

config/guacamole/logback.xml

<configuration>
        <!-- Appender for debugging -->
        <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Appender for debugging in a file-->
        <appender name="GUAC-DEBUG_FILE" class="ch.qos.logback.core.FileAppender">
                <file>/usr/local/tomcat/logs/guacd.log</file>
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Log at DEBUG level -->
        <root level="debug">
                <appender-ref ref="GUAC-DEBUG"/>
                <appender-ref ref="GUAC-DEBUG_FILE"/>
        </root>
</configuration>

Some Tips

You can use the following commands to check if they are being ban or not.

Enter fail2ban interactive mode:

fail2ban-client -i

Check the status of the jail:

status guacamole-auth

unban with:

set guacamole-auth unbanip x.x.x.x

[onedr0p]

Glad you were able to get it working! I'm not sure why the ban takes effect only on page refresh. Maybe it has to do with cloudflare and caching.

I also ban IPs on my pfsense modem using a docker container I wrote. Basically it syncs bans from Cloudflare and inserts them into my pfsense firewall rules. I have it update the list every hour.

Check it out here:
https://gitlab.com/onedr0p/cloudflare-firewall-blocklist

For even more security only accept IPs from Cloudflare IP/CIDR on port 80/443.

[crazy-max]

could you add these into the repo when you have a moment?

@onedr0p Of course!

[crazy-max]

@Doubleho7

You don't have to create a volume for each file :

  volumes:
      - "/var/log/guacamole/guacd.log:/var/log/guacamole/guacd.log"
      - "/home/user/fail2ban/jail.d/guacamole.conf:/etc/fail2ban/jail.d/guacamole.conf"
      - "/home/user/fail2ban/filter.d/guacamole-auth.conf:/etc/fail2ban/filter.d/guacamole-auth.conf"
      - "/home/user/fail2ban/action.d/cloudflare.conf:/etc/fail2ban/action.d/cloudflare.conf"

Just copy them inside /home/user/fail2ban/data/jail.d / /home/user/fail2ban/data/filter.d. And log folder is already binded (see docker-compose example)

  volumes:
      - "/var/log:/var/log:ro"
      - "/home/user/fail2ban/data:/data"

Check this section in the README.

PS: I've edited your comment above that was unreadable. I advise you to read this guide to use Markdown properly for your next comments ;)

[onedr0p]

nice write up @crazy-max 👍

[gurabli]

@crazy-max @onedr0p
I'm strugling to get Guacamole and db (and everything required) up and running on my server. Do you mind sharing your docker-compose for everything needed to configure Guacamole? I tried to follow a deployment guide at Plexguide, but it is specific to paths used in Plexguide scripts. Many thanks!

[onedr0p]

Easiest way I've found to spin up guac is to use this container. If you use the official guac docker image it requires a bit more work. Using @oznu docker image it should be really straight forward.

https://github.com/oznu/docker-guacamole

[gurabli]

@onedr0p Thanks, I will look into this. However, the container seam quite outdated, 6 months, and doesn't look it is maintained. Isn't this a problem?

[onedr0p]

There hasn't been a release for Guacamole in a long time either. Check their GitHub.

[gurabli]

Indeed, thanks for pointing this out!
Wonder if it is safe to use with such a slow release cycle? I mean security wise.