mirror of
https://github.com/itiligent/Easy-Guacamole-Installer.git
synced 2025-12-12 17:32:32 +00:00
fix for recent tomcat log changes #69
This commit is contained in:
Itiligent
parent
d42109fa1f
commit
152e9d9d73
1 changed files with 60 additions and 35 deletions
|
|
@ -3,7 +3,7 @@
|
|||
# Add fail2ban restrictions to Guacamole
|
||||
# For Ubuntu / Debian / Raspbian
|
||||
# David Harrop
|
||||
# April 2023
|
||||
# December 2024
|
||||
#######################################################################################################################
|
||||
|
||||
# Prepare text output colours
|
||||
|
|
@ -21,6 +21,7 @@ clear
|
|||
if ! [[ $(id -u) = 0 ]]; then
|
||||
echo
|
||||
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
|
@ -30,12 +31,16 @@ FAIL2BAN_GUAC=""
|
|||
FAIL2BAN_NGINX=""
|
||||
FAIL2BAN_SSH=""
|
||||
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
|
||||
TOMCAT_SERVICE_FILE="/usr/lib/systemd/system/$TOMCAT_VERSION.service"
|
||||
# Tomcat service file logging lines that must exist
|
||||
OUTPUT_LINE="StandardOutput=append:/var/log/$TOMCAT_VERSION/catalina.out"
|
||||
ERROR_LINE="StandardError=append:/var/log/$TOMCAT_VERSION/catalina.out"
|
||||
|
||||
#Clean up from any previous runs
|
||||
rm -f /tmp/fail2ban.conf
|
||||
rm -f /tmp/fail2ban.temp1
|
||||
rm -f /tmp/fail2ban.temp2
|
||||
rm -f /tmp/ip_list.txt
|
||||
rm -f /tmp/netaddr.txt
|
||||
rm -f /tmp/fail2ban.update
|
||||
|
||||
#######################################################################################################################
|
||||
# Start setup prompts #################################################################################################
|
||||
|
|
@ -92,13 +97,14 @@ fi
|
|||
|
||||
# Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet)
|
||||
if [[ "${FAIL2BAN_BASE}" = true ]]; then
|
||||
|
||||
echo
|
||||
#Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
|
||||
apt-get update -qq
|
||||
apt-get install fail2ban john -qq -y
|
||||
|
||||
# Create the basic jail.local template and local subnet whitelist
|
||||
cat >/tmp/fail2ban.conf <<EOF
|
||||
# Create the basic jail.local template local subnet whitelist
|
||||
echo
|
||||
cat >/tmp/fail2ban.temp1 <<EOF
|
||||
[DEFAULT]
|
||||
destemail = yourname@example.com
|
||||
sender = yourname@example.com
|
||||
|
|
@ -181,26 +187,23 @@ if [[ "${FAIL2BAN_BASE}" = true ]]; then
|
|||
# Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config
|
||||
SED_IGNORE=$(echo "ignoreip = ")
|
||||
SED_NETADDR=$(cat /tmp/netaddr.txt)
|
||||
sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf
|
||||
sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.temp1
|
||||
|
||||
# Move the new base fail2ban config to the jail.local file
|
||||
touch /etc/fail2ban/jail.local
|
||||
|
||||
# Apply the base config, keeping any pre-existing settings
|
||||
sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local'
|
||||
|
||||
# Clean up
|
||||
rm -f /tmp/fail2ban.conf
|
||||
rm -f /tmp/ip_list.txt
|
||||
rm -f /tmp/netaddr.txt
|
||||
rm -f /tmp/fail2ban.update
|
||||
sudo bash -c 'cat /tmp/fail2ban.temp1 > /etc/fail2ban/jail.local'
|
||||
|
||||
# bounce the service to reload the new config
|
||||
systemctl restart fail2ban
|
||||
|
||||
# Done
|
||||
# Display the new config
|
||||
echo "New base /etc/fail2ban/jail.local config:"
|
||||
cat /etc/fail2ban/jail.local
|
||||
|
||||
echo
|
||||
echo -e "${LGREEN}Fail2ban installed...${GREY}"
|
||||
echo -e "${LGREEN}Fail2ban base installed...${GREY}"
|
||||
echo
|
||||
|
||||
else
|
||||
|
|
@ -212,21 +215,22 @@ fi
|
|||
# Fail2ban optional policy setup items ################################################################################
|
||||
#######################################################################################################################
|
||||
|
||||
if [[ "${FAIL2BAN_GUAC}" = true ]]; then
|
||||
|
||||
if [[ "${FAIL2BAN_GUAC}" = true ]]; then
|
||||
# Create the Guacamole jail.local policy template
|
||||
cat >/tmp/fail2ban.conf <<EOF
|
||||
cat >/tmp/fail2ban.temp2 <<EOF
|
||||
|
||||
[guacamole]
|
||||
enabled = true
|
||||
port = http,https
|
||||
logpath = /var/log/$TOMCAT_VERSION/catalina.out
|
||||
bantime = 15m
|
||||
bantime = 10m
|
||||
findtime = 60m
|
||||
maxretry = 5
|
||||
EOF
|
||||
|
||||
# Apply the new Guacamole jail config keeping any pre-existing settings
|
||||
sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local'
|
||||
# Apply the new Guacamole jail config
|
||||
sudo bash -c 'cat /tmp/fail2ban.temp2 >> /etc/fail2ban/jail.local'
|
||||
|
||||
# Backup the default Fail2ban Guacamole filter
|
||||
cp /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/filter.d/guacamole.conf.bak
|
||||
|
|
@ -238,20 +242,41 @@ EOF
|
|||
REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from <HOST> for user "[^"]*" failed\.$'
|
||||
#Insert the new regex
|
||||
sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf
|
||||
|
||||
# Done
|
||||
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..."
|
||||
|
||||
# Bounce the service to reload the new config
|
||||
systemctl restart fail2ban
|
||||
echo
|
||||
fi
|
||||
|
||||
# Clean up
|
||||
rm -f /tmp/fail2ban.conf
|
||||
rm -f /tmp/fail2ban.temp1
|
||||
rm -f /tmp/fail2ban.temp2
|
||||
rm -f /tmp/ip_list.txt
|
||||
rm -f /tmp/netaddr.txt
|
||||
rm -f /tmp/fail2ban.update
|
||||
apt-get -y remove john > /dev/null 2>&1
|
||||
apt-get -y autoremove > /dev/null 2>&1
|
||||
|
||||
# Display the updated config
|
||||
echo "Updated jail.local with Guacamole filter policy:"
|
||||
cat /etc/fail2ban/jail.local
|
||||
|
||||
# make sure Tomcat catalina logs are configured
|
||||
if [[ ! -f "$TOMCAT_SERVICE_FILE" ]]; then
|
||||
echo "Error: $TOMCAT_SERVICE_FILE not found, exiting..."
|
||||
exit 1
|
||||
else
|
||||
if grep -q "^$OUTPUT_LINE" "$TOMCAT_SERVICE_FILE" && grep -q "^$ERROR_LINE" "$TOMCAT_SERVICE_FILE"; then
|
||||
echo "Required lines already exist in $TOMCAT_SERVICE_FILE. No changes made."
|
||||
else
|
||||
# Add lines if they don't already exist
|
||||
sed -i "/^\[Service\]/a $OUTPUT_LINE\n$ERROR_LINE" "$TOMCAT_SERVICE_FILE"
|
||||
systemctl daemon-reload
|
||||
systemctl restart fail2ban
|
||||
systemctl restart guacd
|
||||
systemctl restart ${TOMCAT_VERSION}
|
||||
echo "Lines were added successfully to $TOMCAT_SERVICE_FILE."
|
||||
fi
|
||||
fi
|
||||
|
||||
# Done
|
||||
echo
|
||||
echo -e "${LGREEN}Guacamole security policy applied, but NOT YET ENABLED FOR LOCAL NETWORK(S) ${GREY}\n- Local network(s) ${SED_NETADDR}are currently whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local then sudo systemctl restart fail2ban"
|
||||
|
||||
############## Start Fail2ban NGINX security policy option ###############
|
||||
#if [[ "${FAIL2BAN_NGINX}" = true ]]; then
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue