> > If considering username instead of IP, I would be concerned that a >> malicious user could trivially leverage that behavior to deny a specific, >> known user access to Guacamole. There'd need to be some reliable, >> out-of-band mechanism for the real user to come back, verify themselves, >> and regain access to their account. >> >> > Good points - I didn't think about that. I was thinking about the fact > that it's more likely that a real attacker will try multiple usernames to > try to circumvent any sort of a per-user lockout, but didn't think about > there being certain situations where a user is targeted. > > >> We could consider _both_ username and IP, optionally flagging repeated >> failed attempts to authenticate as problematic only if also against the >> same account. That might avoid both cases, but would be arguably weaker >> than banning purely IPs. >> >> > I think having this as an option would be good - I do think the default of > the IP-based approach is probably good for most situations, particularly > where Guacamole is exposed to the Internet, as it avoids both the > short-fall of targeting a particular user and that of attacking the system > via multiple user accounts. But, I do see the original use-case of having > situations where you may lack visibility into the actual source IP address > of the clients. > > FYI, I've created the following Jira issue to track this feature request: https://issues.apache.org/jira/browse/GUACAMOLE-2144
-Nick >
