Really, people talking about security and mentioning firewall in terms of
securing a service have not done their homework. Else they should have
understood that the most vital part in security is securing services as an
immanent part of their design by using a libwrap approach or an authentication
of user/ip tuples.
Why not use firewall for that? Because it burns cpu resources looking in
_every_ packet instead of the ones meant for the service to be secured.
The XXX from openssh - just to give an example - removed the libwrap code (few
lines) in favour of telling people to use keys. For me it is pretty obvious
that this can only be done if you want to open up backdoors that cannot make
it through libwrap for its code simpleness. It is obvious that people really
having to deal with security like router vendors weren't quite of the same
opinion. Take a look at a mikrotik config to mention a good example and see
how they in fact implemented a libwrap type of immanent service security for
every service in the box.
Use IP filters when needed, but don't pipe all your traffic through a (cpu
driven) firewall, because you only hurt the performance.
Therefore your statement that a good job was done here cannot be held up,
because they completely failed to even think about the client ip.
No matter what you want to do with it in the end.
--
Regards,
Stephan
On Fri, 26 Apr 2024 14:20:09 -0700
Sean Hulbert <shulb...@securitycentric.net.INVALID> wrote:
> Its easy when you know how!
>
> Guacamole is very well thought out Mike and team have done an
> exceptional job, however we customize guacamole to do what we want it to
> do, strip out the code not used, then harden it with FIPS140-2, I merely
> gave examples of what you could do, beside you should be using some type
> of SIEM anyways as part of your security posture. I hope you find what
> you are looking for.
>
>
>
> *Thank You*
> Sean Hulbert
> *Founder / CEO*
>
>
> *Security Centric Inc.*
> A Cybersecurity Virtualization Enablement Company
> /StormCloud Gov, Protected CUI Environment!/
>
>
> Industry's most secure virtual desktops!
>
>
> */FedRAMP MIL4 in process (RAR)/*
> System Award Management
> *CAGE: 8AUV4*
> *SAM ID: UMJLJ8A7BMT3*
>
> AFCEA San Francisco Chapter President
> If you have heard of a hacker by name, he/she has failed, fear the
> hacker you haven’t heard of!
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> confidential and/or legally privileged information. It is solely for the
> use of the intended recipient(s). Unauthorized interception, review, use
> or disclosure is prohibited and may violate applicable laws including
> the Electronic Communications Privacy Act. If you are not the intended
> recipient, please contact the sender and destroy all copies of the
> communication. Content within this email communication is not legally
> binding as a contract and no promises are guaranteed unless in a formal
> contract outside this email communication.
>
> igitur qui desiderat pacem, praeparet bellum!!!
>
> Epitoma Rei Militaris
>
> On 4/26/2024 2:02 PM, Stephan von Krawczynski wrote:
> > You are aware that the talk is about a piece of information (IP) the basic
> > service (indeed apache) has naturally.
> > Your explanation alone shows how broken by design the thing is. You need a
> > logfile, a database, a script and a layer 7 firewall for obtaining an IP?
> > And then you call it easy. Gimme a break...
> >
> >
> > On Fri, 26 Apr 2024 10:51:01 -0700
> > Sean Hulbert<shulb...@securitycentric.net.INVALID> wrote:
> >
> >> This is easy,
> >>
> >> 1. Use a SIEM on the NGINX or Apache log files set your trigger to look
> >> for the api token.
> >>
> >> 2. Parse the log file directly using bash awk sed if fi else then pull
> >> the IP address
> >>
> >> 3. Create a new table in the Guacamole database then add a variable to
> >> the connection info page, take option 2 and inject the IP to the new
> >> table to be displayed.
> >>
> >> 4. Put a Layer 7 firewall in front of the Guacamole system and capture
> >> all data streams to and from (assuming this is external use).
> >>
> >>
> >>
> >> *Thank You*
> >> Sean Hulbert
> >> *Founder / CEO*
> >>
> >>
> >> *Security Centric Inc.*
> >> A Cybersecurity Virtualization Enablement Company
> >> /StormCloud Gov, Protected CUI Environment!/
> >>
> >>
> >> Industry's most secure virtual desktops!
> >>
> >>
> >> */FedRAMP MIL4 in process (RAR)/*
> >> System Award Management
> >> *CAGE: 8AUV4*
> >> *SAM ID: UMJLJ8A7BMT3*
> >>
> >> AFCEA San Francisco Chapter President
> >> If you have heard of a hacker by name, he/she has failed, fear the
> >> hacker you haven’t heard of!
> >>
> >> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> >> confidential and/or legally privileged information. It is solely for the
> >> use of the intended recipient(s). Unauthorized interception, review, use
> >> or disclosure is prohibited and may violate applicable laws including
> >> the Electronic Communications Privacy Act. If you are not the intended
> >> recipient, please contact the sender and destroy all copies of the
> >> communication. Content within this email communication is not legally
> >> binding as a contract and no promises are guaranteed unless in a formal
> >> contract outside this email communication.
> >>
> >> igitur qui desiderat pacem, praeparet bellum!!!
> >>
> >> Epitoma Rei Militaris
> >>
> >> On 4/26/2024 6:10 AM, Nick Couchman wrote:
> >>> On Fri, Apr 26, 2024 at 6:47 AM Molina de la Iglesia, Manuel
> >>> <manuel.molina-de-la-igle...@veolia.com.invalid> wrote:
> >>>
> >>> Hello,
> >>>
> >>> After following the provided documentation, I cannot find a
> >>> solution to get the real client IP.
> >>>
> >>> I have my application (PHP) on the same Guacamole Server, this
> >>> application gets the user token:
> >>>
> >>> image.png
> >>>
> >>> The Tomcat log (after use the following pattern on the server.xml
> >>> valve) I use: %{x-forwarded-for}i %l %u %t "%r" %s %b
> >>>
> >>> The log is OK (display the user IP)
> >>>
> >>> image.png
> >>>
> >>>
> >>> This does not look like the Tomcat log, this looks like a log for
> >>> httpd or Nginx, which means *that* is getting your client IP address.
> >>> Do you have your Proxy configured to pass the X-Forwarded-For header
> >>> through to Tomcat?
> >>>
> >>> -Nick
> >>>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail:user-h...@guacamole.apache.org
> >
--
MfG,
Stephan von Krawczynski
------------------------------------------------------
ith Kommunikationstechnik GmbH
Rechnungsanschrift: Reiterstrasse 24, D-94447 Plattling
Lieferanschrift : Leithenweg 10, D-94527 Aholming
Telefon : +49 9931 9188 0
Fax : +49 9931 9188 44
Geschaeftsfuehrer : Stephan von Krawczynski
Registergericht : Deggendorf HRB 1625
------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
