Hi Tom, On Thu, 2021-02-04 at 15:59 +0000, Tom Schoonjans wrote: > Hi, > > > I noticed recently that one of our guacamole servers is being subject > to a brute force attack via the REST API as shown in these logs: > > guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > 141.98.255.144 for user "guacadmin" failed. [snip] > > > Do you have any advice on how to block such IP address automatically > after a couple of failed attempts? For ssh I use denyhosts but that > doesn’t work for HTTP.
It looks like fail2ban also has support for Guacamole [1]. This should take care of stupid brute-force attacks coming from a single host. You should also have a look at the recidive jail to block hosts that keep trying after multiple bans. Best, Sander [1] https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/guacamole.conf