F2B guacamole regex filter changed to match guacd.log format

[faviann]

I'm not sure if it recently changed but the docs for implementing F2B with Guacamole were not totally right. When it came to the regex filter matching auth failures on the guacd.log, turns out it was not matching on my setup.

The logs generated that needed matching was the following: WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [60.61.62.63, 172.21.0.25] for user "MyFirstUser" failed.

Changed it and made a PR in case it was not me who did something dumb. Anyways the match seems to work

[nemchik]

This seems slightly off. I am no pro with fail2ban but this looks like it would only match if there were multiple IP addresses listed, and it would only match the first IP. I may not be correct on this, but if you have any reference links you could provide showing recommendations about a fail2ban regex for guac I'd be happy to accept this PR. I just want to make sure we're getting it right this time and not recommending something that wouldn't work for others in the future.

Thanks!

[faviann]

Totally understandable. And worth mentioning, I'm quite new to this.

I'll investigate in the meantime to make sure what I'm doing makes sense and come back with more details at least

[faviann]

Figured out as to why it's like this. Turns out the reason I have the 2 addresses in the logs is because of the reverse proxying done through letsencrypt/nginx. The first IP matches my WAN's client IP. The second IP is the internally NAT-ted LetsEncrypt/nginx container's IP. (through docker) So If I got this right, anybody who uses a reverse proxy will end up with my situation.

With that said, the PR is in better shape because the regex filter would now work whether there is some form of reverse proxying used or not.

Not sure how you want to handle things but even though it works for both cases, I'd definitely want somebody else to validate the thing. It's not something I'm very familiar with.

[nemchik]

I asked someone else on the discord to verify this worked for them but didn't hear back. I'm going to go ahead and merge it and it can be updated again in the future if there's a problem.