Re: How to make Guacamole safe.
Andrea, Mike means that you will need to be looking at, and blocking if necessary, unique public IP addresses. Most likely private addresses (eg. 192.168.x.x) would normally be 'trusted', or in some cases not unique, so there's no point in having having fail2ban analyse them. Also, fail2ban is a separate project and service. It is not affiliated with Guacamole, although it may be used with it. On 19/02/24 21:00, Andrea Miconi wrote: My firewall already has an Intrusion Detection function.Guacamole is behind the firewall and behind the reverse proxy.When you talk about "is running on the public-facing server" are you still talking about Guacamole? Is Failban already configured for Guacamole or do I have to configure it myself? Il lunedì 19 febbraio 2024 alle ore 08:33:41 CET, Michael Jumper ha scritto: On 2/18/24 23:15, Andrea Miconi wrote: My Guacamole is installed on a PC with Debian 12 and I use it to connect to my PCs and servers. Besides G. there is nothing else installed; maybe later I will want to install Zabbix. G. is now behind a firewall with HA-Proxy as reserver proxy. I wonder if I shouldn't secure the server anyway, for example using UFW or Failban. It's always advisable to configure a tool like "fail2ban" - doing so would allow you to automatically block attempts to brute-force login credentials. You will need to make sure that the fail2ban service is running on the public-facing server. Blocking the IP address of a client machine will otherwise have no impact if all client machines are actually your reverse proxy from the perspective of the webapp. Ensuring your system has a functional firewall, whether with UFW or otherwise, should be standard practice. This has little to do with Guacamole, particularly given that you would need to allow access to Guacamole through your firewall anyway. This has more to do with ensuring other services that may be running on your system are not accessible. - Mike - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: How to make Guacamole safe.
My firewall already has an Intrusion Detection function.Guacamole is behind the firewall and behind the reverse proxy.When you talk about "is running on the public-facing server" are you still talking about Guacamole? Is Failban already configured for Guacamole or do I have to configure it myself? Il lunedì 19 febbraio 2024 alle ore 08:33:41 CET, Michael Jumper ha scritto: On 2/18/24 23:15, Andrea Miconi wrote: > My Guacamole is installed on a PC with Debian 12 and I use it to connect > to my PCs and servers. > Besides G. there is nothing else installed; maybe later I will want to > install Zabbix. > > G. is now behind a firewall with HA-Proxy as reserver proxy. > I wonder if I shouldn't secure the server anyway, for example using UFW > or Failban. > It's always advisable to configure a tool like "fail2ban" - doing so would allow you to automatically block attempts to brute-force login credentials. You will need to make sure that the fail2ban service is running on the public-facing server. Blocking the IP address of a client machine will otherwise have no impact if all client machines are actually your reverse proxy from the perspective of the webapp. Ensuring your system has a functional firewall, whether with UFW or otherwise, should be standard practice. This has little to do with Guacamole, particularly given that you would need to allow access to Guacamole through your firewall anyway. This has more to do with ensuring other services that may be running on your system are not accessible. - Mike - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: How to make Guacamole safe.
On 2/18/24 23:15, Andrea Miconi wrote: My Guacamole is installed on a PC with Debian 12 and I use it to connect to my PCs and servers. Besides G. there is nothing else installed; maybe later I will want to install Zabbix. G. is now behind a firewall with HA-Proxy as reserver proxy. I wonder if I shouldn't secure the server anyway, for example using UFW or Failban. It's always advisable to configure a tool like "fail2ban" - doing so would allow you to automatically block attempts to brute-force login credentials. You will need to make sure that the fail2ban service is running on the public-facing server. Blocking the IP address of a client machine will otherwise have no impact if all client machines are actually your reverse proxy from the perspective of the webapp. Ensuring your system has a functional firewall, whether with UFW or otherwise, should be standard practice. This has little to do with Guacamole, particularly given that you would need to allow access to Guacamole through your firewall anyway. This has more to do with ensuring other services that may be running on your system are not accessible. - Mike - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
How to make Guacamole safe.
My Guacamole is installed on a PC with Debian 12 and I use it to connect to my PCs and servers. Besides G. there is nothing else installed; maybe later I will want to install Zabbix. G. is now behind a firewall with HA-Proxy as reserver proxy.I wonder if I shouldn't secure the server anyway, for example using UFW or Failban.