diff --git a/guac-optional-features/add-fail2ban.sh b/guac-optional-features/add-fail2ban.sh index de376df..b69bd3b 100644 --- a/guac-optional-features/add-fail2ban.sh +++ b/guac-optional-features/add-fail2ban.sh @@ -3,7 +3,7 @@ # Add fail2ban restrictions to Guacamole # For Ubuntu / Debian / Raspbian # David Harrop -# April 2023 +# December 2024 ####################################################################################################################### # Prepare text output colours @@ -21,6 +21,7 @@ clear if ! [[ $(id -u) = 0 ]]; then echo echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + echo exit 1 fi @@ -30,12 +31,16 @@ FAIL2BAN_GUAC="" FAIL2BAN_NGINX="" FAIL2BAN_SSH="" TOMCAT_VERSION=$(ls /etc/ | grep tomcat) +TOMCAT_SERVICE_FILE="/usr/lib/systemd/system/$TOMCAT_VERSION.service" +# Tomcat service file logging lines that must exist +OUTPUT_LINE="StandardOutput=append:/var/log/$TOMCAT_VERSION/catalina.out" +ERROR_LINE="StandardError=append:/var/log/$TOMCAT_VERSION/catalina.out" #Clean up from any previous runs -rm -f /tmp/fail2ban.conf +rm -f /tmp/fail2ban.temp1 +rm -f /tmp/fail2ban.temp2 rm -f /tmp/ip_list.txt rm -f /tmp/netaddr.txt -rm -f /tmp/fail2ban.update ####################################################################################################################### # Start setup prompts ################################################################################################# @@ -92,13 +97,14 @@ fi # Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet) if [[ "${FAIL2BAN_BASE}" = true ]]; then - +echo #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings) apt-get update -qq apt-get install fail2ban john -qq -y - # Create the basic jail.local template and local subnet whitelist - cat >/tmp/fail2ban.conf </tmp/fail2ban.temp1 < /etc/fail2ban/jail.local' - - # Clean up - rm -f /tmp/fail2ban.conf - rm -f /tmp/ip_list.txt - rm -f /tmp/netaddr.txt - rm -f /tmp/fail2ban.update + sudo bash -c 'cat /tmp/fail2ban.temp1 > /etc/fail2ban/jail.local' # bounce the service to reload the new config systemctl restart fail2ban + + # Display the new config + echo "New base /etc/fail2ban/jail.local config:" + cat /etc/fail2ban/jail.local - # Done echo - echo -e "${LGREEN}Fail2ban installed...${GREY}" + echo -e "${LGREEN}Fail2ban base installed...${GREY}" echo else @@ -212,21 +215,22 @@ fi # Fail2ban optional policy setup items ################################################################################ ####################################################################################################################### -if [[ "${FAIL2BAN_GUAC}" = true ]]; then +if [[ "${FAIL2BAN_GUAC}" = true ]]; then # Create the Guacamole jail.local policy template - cat >/tmp/fail2ban.conf </tmp/fail2ban.temp2 < /etc/fail2ban/jail.local' + # Apply the new Guacamole jail config + sudo bash -c 'cat /tmp/fail2ban.temp2 >> /etc/fail2ban/jail.local' # Backup the default Fail2ban Guacamole filter cp /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/filter.d/guacamole.conf.bak @@ -238,20 +242,41 @@ EOF REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from for user "[^"]*" failed\.$' #Insert the new regex sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf - - # Done - echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..." - - # Bounce the service to reload the new config - systemctl restart fail2ban - echo fi -# Clean up -rm -f /tmp/fail2ban.conf -rm -f /tmp/ip_list.txt -rm -f /tmp/netaddr.txt -rm -f /tmp/fail2ban.update + # Clean up + rm -f /tmp/fail2ban.temp1 + rm -f /tmp/fail2ban.temp2 + rm -f /tmp/ip_list.txt + rm -f /tmp/netaddr.txt + apt-get -y remove john > /dev/null 2>&1 + apt-get -y autoremove > /dev/null 2>&1 + +# Display the updated config +echo "Updated jail.local with Guacamole filter policy:" +cat /etc/fail2ban/jail.local + +# make sure Tomcat catalina logs are configured +if [[ ! -f "$TOMCAT_SERVICE_FILE" ]]; then + echo "Error: $TOMCAT_SERVICE_FILE not found, exiting..." + exit 1 +else + if grep -q "^$OUTPUT_LINE" "$TOMCAT_SERVICE_FILE" && grep -q "^$ERROR_LINE" "$TOMCAT_SERVICE_FILE"; then + echo "Required lines already exist in $TOMCAT_SERVICE_FILE. No changes made." + else + # Add lines if they don't already exist + sed -i "/^\[Service\]/a $OUTPUT_LINE\n$ERROR_LINE" "$TOMCAT_SERVICE_FILE" + systemctl daemon-reload + systemctl restart fail2ban + systemctl restart guacd + systemctl restart ${TOMCAT_VERSION} + echo "Lines were added successfully to $TOMCAT_SERVICE_FILE." + fi +fi + + # Done + echo + echo -e "${LGREEN}Guacamole security policy applied, but NOT YET ENABLED FOR LOCAL NETWORK(S) ${GREY}\n- Local network(s) ${SED_NETADDR}are currently whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local then sudo systemctl restart fail2ban" ############## Start Fail2ban NGINX security policy option ############### #if [[ "${FAIL2BAN_NGINX}" = true ]]; then