Hi,
I noticed recently that one of our guacamole servers is being subject to a brute force attack via the REST API as shown in these logs: guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:10:57.668 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:00.496 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:01.354 [http-nio-8080-exec-7] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:01.902 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:02.015 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:03.559 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:04.428 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:05.298 [http-nio-8080-exec-7] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:05.378 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:09.072 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:09.569 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:11.507 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:11.529 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:13.561 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:13.912 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:13.916 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:15.345 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:16.986 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:17.984 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:19.545 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:20.009 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:21.586 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:21.732 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. guacamole_compose | 13:11:23.089 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed. Do you have any advice on how to block such IP address automatically after a couple of failed attempts? For ssh I use denyhosts but that doesn’t work for HTTP. Thanks in advance! Best, Tom --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
