Do you use Guacamole?
-
I just setup a guacamole VM on my Hyper-V host and after some fiddling with the Nginx conf file, I was able to get the portal to work through the proxy. Awesome! Now the paranoid side of me kicks-in and probably unnecessarily. I've created a 40 character password to log into Guacamole along with a 30 character password for the subsequent Windows password. Wondering if anyone has ever heard of any security holes or issues with Guacamole that would make you re-think exposing it to the web even with SSL and long, complex passwords.
Is it time to put my tinfoil hat away? I realize that's what it was designed to do.
-
@nashbrydges Great Topic. I look forward to watching this
-
@nashbrydges I'm interested. You have any how-to-install notes?
-
It's part of the Apache project, SSL security is very good. It's basically a very secure VPN. I'd be no more concerned than with SSH, same level of security.
-
Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.
-
@fateknollogee said in Do you use Guacamole?:
@nashbrydges I'm interested. You have any how-to-install notes?
I can't take any credit for these but I used the install script here with a fresh Ubuntu 17.04 install and it worked flawlessly.
https://www.chasewright.com/guacamole-with-mysql-on-ubuntu/
He also has one for a CentOS7 install somewhere on his site.
My Nginx proxy runs on a separate VM but the conf file for that looks like this.
server { listen 80; server_name mydomain.ca; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name mydomain.ca; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy strict-origin; #Had to comment out the line below as the CSP policy broke functionality. #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; ssl_stapling on; ssl_stapling_verify on; server_tokens off; ssl on; ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; proxy_cookie_path / "/; secure; HttpOnly"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://192.168.100.79:8080/guacamole/; #The line below is required because Guacamole is essentially streaming so buffering would get in the way proxy_buffering off; proxy_redirect off; access_log off; proxy_cookie_path / "/; secure; HttpOnly"; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }One additional note that took some Googling. If you're going to remote into a Win 10 desktop, you not only need to disable the NLA checkbox but you also need the following registry change.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]Change the value from a 2 to a 1 for the following key
"SecurityLayer”=dword:00000001So far it seems exceptionally smooth and way better than using my Sophos XG HTML5 RDP function. Not to mention I can run all of it through the proxy and manage SSL via Nginx which I can't do through Sophos XG.
-
@stuartjordan said in Do you use Guacamole?:
Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.
I wrote a custom Fail2ban block script for a web app I had designed for a friend. Do you know where the access logs would be stored for Guac? I might be able to create something similar to use Fail2ban for.
-
fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/
-
@travisdh1 Sweet! Gonna have to give this a try.
-
@nashbrydges said in Do you use Guacamole?:
as ever heard of any security holes or issues with Guacamole that
So far two vulnerabilities
https://www.cvedetails.com/product/23320/Guac-dev-Guacamole.html?vendor_id=12346I would use it with SSL and make sure there is a firewall before it or HTTPS Proxy.
-
@dbeato said in Do you use Guacamole?:
@nashbrydges said in Do you use Guacamole?:
as ever heard of any security holes or issues with Guacamole that
So far two vulnerabilities
https://www.cvedetails.com/product/23320/Guac-dev-Guacamole.html?vendor_id=12346I would use it with SSL and make sure there is a firewall before it or HTTPS Proxy.
Well, SSL should be standard. Certbot is your friend, ssl all the things!
-
@travisdh1 said in Do you use Guacamole?:
fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/
Fail2ban now appears to be blocking failed attempts.
Using your link, I noticed catalina.out wasn't capturing failed logins so I created a blank file at
/etc/rsyslog.d/tomcat.confand then restarted rsyslog.The regex wasn't working and the link didn't have the proper regex to use so a little search brought me here.
https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/About 3/4 of the way down, the correct regex is shown as follows.
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.Restarted Fail2ban confirmed that the regex would work
fail2ban-regex '/var/log/tomcat8/catalina.out' /etc/fail2ban/filter.d/guacamole.confI tried to login using an incorrect user/pwd combo. Sure enough, the outcome was this (masked IP address).
nashbrydges@guacamole:~$ sudo fail2ban-client status guacamole Status for the jail: guacamole |- Filter | |- Currently failed: 1 | |- Total failed: 13 | `- File list: /var/log/tomcat8/catalina.out `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: xxx.xxx.xxx.135 -
@nashbrydges Thanks for the confirmation that it works right!
-
@nashbrydges Thanks for posting this nash, will have to try this with fail2ban.
If anyone is interested there is a nice bash script for getting Guacamole installed:
https://sourceforge.net/projects/guacamoleinstallscript/
