Do you use Guacamole?



  • I just setup a guacamole VM on my Hyper-V host and after some fiddling with the Nginx conf file, I was able to get the portal to work through the proxy. Awesome! Now the paranoid side of me kicks-in and probably unnecessarily. I've created a 40 character password to log into Guacamole along with a 30 character password for the subsequent Windows password. Wondering if anyone has ever heard of any security holes or issues with Guacamole that would make you re-think exposing it to the web even with SSL and long, complex passwords.

    Is it time to put my tinfoil hat away? I realize that's what it was designed to do.



  • @nashbrydges Great Topic. I look forward to watching this :-)



  • @nashbrydges I'm interested. You have any how-to-install notes?


  • Service Provider

    It's part of the Apache project, SSL security is very good. It's basically a very secure VPN. I'd be no more concerned than with SSH, same level of security.



  • Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.



  • @fateknollogee said in Do you use Guacamole?:

    @nashbrydges I'm interested. You have any how-to-install notes?

    I can't take any credit for these but I used the install script here with a fresh Ubuntu 17.04 install and it worked flawlessly.

    https://www.chasewright.com/guacamole-with-mysql-on-ubuntu/

    He also has one for a CentOS7 install somewhere on his site.

    My Nginx proxy runs on a separate VM but the conf file for that looks like this.

    server {
       listen 80;
       server_name mydomain.ca;
       return 301 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name mydomain.ca;
      
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options nosniff;
      add_header Referrer-Policy strict-origin;
      #Had to comment out the line below as the CSP policy broke functionality.
      #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
      ssl_stapling on;
      ssl_stapling_verify on;
      server_tokens off;
    
      ssl on;
      ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:10m;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      proxy_cookie_path / "/; secure; HttpOnly";
    
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://192.168.100.79:8080/guacamole/;
           #The line below is required because Guacamole is essentially streaming so buffering would get in the way
            proxy_buffering off;
            proxy_redirect off;
            access_log off;
            proxy_cookie_path / "/; secure; HttpOnly";
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
       }
       
    }
    
    

    One additional note that took some Googling. If you're going to remote into a Win 10 desktop, you not only need to disable the NLA checkbox but you also need the following registry change.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

    Change the value from a 2 to a 1 for the following key

    "SecurityLayer”=dword:00000001

    So far it seems exceptionally smooth and way better than using my Sophos XG HTML5 RDP function. Not to mention I can run all of it through the proxy and manage SSL via Nginx which I can't do through Sophos XG.



  • @stuartjordan said in Do you use Guacamole?:

    Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.

    I wrote a custom Fail2ban block script for a web app I had designed for a friend. Do you know where the access logs would be stored for Guac? I might be able to create something similar to use Fail2ban for.



  • fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/



  • @travisdh1 Sweet! Gonna have to give this a try.



  • @nashbrydges said in Do you use Guacamole?:

    as ever heard of any security holes or issues with Guacamole that

    So far two vulnerabilities
    https://www.cvedetails.com/product/23320/Guac-dev-Guacamole.html?vendor_id=12346

    I would use it with SSL and make sure there is a firewall before it or HTTPS Proxy.



  • @dbeato said in Do you use Guacamole?:

    @nashbrydges said in Do you use Guacamole?:

    as ever heard of any security holes or issues with Guacamole that

    So far two vulnerabilities
    https://www.cvedetails.com/product/23320/Guac-dev-Guacamole.html?vendor_id=12346

    I would use it with SSL and make sure there is a firewall before it or HTTPS Proxy.

    Well, SSL should be standard. Certbot is your friend, ssl all the things!



  • @travisdh1 said in Do you use Guacamole?:

    fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/

    Fail2ban now appears to be blocking failed attempts.

    Using your link, I noticed catalina.out wasn't capturing failed logins so I created a blank file at /etc/rsyslog.d/tomcat.conf and then restarted rsyslog.

    The regex wasn't working and the link didn't have the proper regex to use so a little search brought me here.
    https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/

    About 3/4 of the way down, the correct regex is shown as follows.
    failregex = \bAuthentication attempt from [<HOST>(?:,.*)?] for user ".*" failed\.

    Restarted Fail2ban confirmed that the regex would work
    fail2ban-regex '/var/log/tomcat8/catalina.out' /etc/fail2ban/filter.d/guacamole.conf

    I tried to login using an incorrect user/pwd combo. Sure enough, the outcome was this (masked IP address).

    [email protected]:~$ sudo fail2ban-client status guacamole
    Status for the jail: guacamole
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     13
    |  `- File list:        /var/log/tomcat8/catalina.out
    `- Actions
       |- Currently banned: 1
       |- Total banned:     2
       `- Banned IP list:   xxx.xxx.xxx.135
    


  • @nashbrydges Thanks for the confirmation that it works right!



  • @nashbrydges Thanks for posting this nash, will have to try this with fail2ban.

    If anyone is interested there is a nice bash script for getting Guacamole installed:
    https://sourceforge.net/projects/guacamoleinstallscript/


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.