That would be a good start :

enabled  = true
filter   = catalina
logpath  = /var/log/catalina.out
action   = iptables-allports[name=cataline]
           sendmail-whois-lines[name=catalina,, sender=the_sender@something,com, logpath=/var/log/fail2ban.log]
bantime  = 600
findtime = 600
maxretry = 3

Make sure that /var/log/catalina.out is the right path.

Then in /etc/fail2ban/filter.d, copy the file proftpd.conf to catalina.conf, remove the failregex and use this instead :
failregex = WARNING: Authentication attempt from <HOST>.*

then /etc/init.d/fail2ban restart and try it out yourself to be ban.

On Fri, Apr 12, 2013 at 1:52 PM, Cristiano Nuzzo <> wrote:
Hi, I'm new to this group.

I need an help to configure fail2ban (that already work for ssh procotol) in order to make it working with tomcat6/guatamole webapp.

I'dd like to check the file catalina.out that looks like this:

more catalina.out | grep pippo

WARNING: Authentication attempt from XXX.XXX.XXX.XXX for user "pippo" failed.

and tell fail2ban to ban the ip at the 3rd attempt failed.

Can you tell me hot to edit my catalina.conf filter to put in my filter.d?

Thanks in advance

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Fail2ban-users mailing list