The failed MFA attempts are logged to /var/log/tomcat9/catalina.out
Here is a script you can set a threshold to that will detect 5 attempts
in 60 seconds, you can add to the script to further parse the IP our and
ban it. Hope this helps.
#!/bin/bash
LOG_FILE="/var/log/tomcat9/catalina.out"
TIME_WINDOW=60 # Time window in seconds
MAX_CONSECUTIVE_ATTEMPTS=5 # Maximum consecutive attempts within the
time window
# Use awk to process the log file
awk -v time_window="$TIME_WINDOW" -v
max_consecutive_attempts="$MAX_CONSECUTIVE_ATTEMPTS" '
function print_last_occurrences(user) {
print "Last 5 occurrences for user '" user "':"
for (i = max_index[user] - 4; i <= max_index[user]; i++) {
print occurrences[user, i]
}
}
/User/ {
timestamp = $1 " " $2 # Combine date and time fields
user = $0 ~ /User ([^ ]+)/ ? substr($0, RSTART+5, RLENGTH-5) :
"Unknown" # Extract user from log line
if (user == last_user && timestamp - last_timestamp <=
time_window) {
consecutive_attempts++
if (consecutive_attempts > max_consecutive_attempts) {
print_last_occurrences(user)
print "Failed MFA Verification more than 5 times in a row"
exit 0
}
} else {
consecutive_attempts = 1
}
occurrences[user, ++max_index[user]] = $0
last_user = user
last_timestamp = timestamp
}
' "$LOG_FILE"
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure virtual desktops!
*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 6/18/2024 10:29 AM, fed wrote:
Right now for failed login attempts (via password) I am using fail2ban
it seems fine.
- fed
On Tue, 18 Jun 2024 at 17:03, Sean Hulbert
<shulb...@securitycentric.net.invalid> wrote:
You can use netfilters to rate limit then place a ban on them for
x time frame when violated.
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure virtual desktops!
*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may
contain confidential and/or legally privileged information. It is
solely for the use of the intended recipient(s). Unauthorized
interception, review, use or disclosure is prohibited and may
violate applicable laws including the Electronic Communications
Privacy Act. If you are not the intended recipient, please contact
the sender and destroy all copies of the communication. Content
within this email communication is not legally binding as a
contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 6/18/2024 7:40 AM, fed wrote:
Ok nice, I will look for this release!
Thanks
On Tue, 18 Jun 2024 at 16:34, Nick Couchman <vn...@apache.org> wrote:
On Tue, Jun 18, 2024 at 10:24 AM fed <res...@gmail.com> wrote:
Hi,
I didn't read about this in the manual, as in the
subject, is it possible to rate limit TOTP attempts or at
least log failed attempts ?
Like it happens for successful/failed login attempts via
password.
Today, no - but there is an extension that will be part of
the 1.6.0 release, guacamole-auth-ban, that will allow for
rate-limiting failed login requests.
-Nick
