You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Guilherme Carvalho <gc...@gmail.com> on 2020/03/19 16:12:28 UTC
Captcha on guacamole login
Hello guys, i have a doubt, is it possible to setup a Captcha on the first
login page?? I´m using LDAP + TOTP, but the problems is, if somebody tried
to connect many times with an user on the guacamole, this account got
blocked on the AD, so many services will stop and i couldn´t connect.
What could be done to prevent this??
Thanks
Re: Captcha on guacamole login
Posted by ivanmarcus <iv...@yahoo.com.INVALID>.
Bad form replying to my own post I know but just in case, for the
eagle-eyed, you will see the plots I included weren't actually for
Guacamole.
The reason for that is simply that while my Guacamole VM's do have
fail2ban (and recidive) operational I don't plot their fail2ban data
over time.
Obviously I do for postfix and the plots I included were intended simply
to show the effect of recidive. Presently I have no blacklisted hosts on
Guacamole, partly due to some other measures in use, nevertheless I
consider fail2ban an important tool in protecting the system(s).
On 20/03/2020 10:12 a.m., ivanmarcus wrote:
>
> I highly recommend fail2ban.
>
> If you do implement it then I suggest you consider including the
> recidive option.
>
> Attached are two plots, one showing current fail2ban blacklisted ip's
> (including recidive), and one showing the effect of introducing
> recidive last year...
>
>
> On 20/03/2020 8:18 a.m., Guilherme Carvalho wrote:
>> Yes, you´re right, i am looking for fail2ban right now, but the
>> captcha would be perfect, the first login user password and captcha,
>> than the TOTP.
>>
>> Thanks Nick.
>>
>> Em qui., 19 de mar. de 2020 às 15:29, Nick Couchman <vnick@apache.org
>> <ma...@apache.org>> escreveu:
>>
>> On Thu, Mar 19, 2020 at 12:12 PM Guilherme Carvalho
>> <gccarvalho@gmail.com <ma...@gmail.com>> wrote:
>>
>> Hello guys, i have a doubt, is it possible to setup a Captcha
>> on the first login page??
>>
>>
>> I have no doubt this would be possible. There's no
>> out-of-the-box way to do it, today, but I would think an
>> extension could be written to allow it to function very similarly
>> to TOTP or RADIUS with MFA.
>>
>> I´m using LDAP + TOTP, but the problems is, if somebody tried
>> to connect many times with an user on the guacamole, this
>> account got blocked on the AD, so many services will stop and
>> i couldn´t connect.
>>
>>
>> I think Mike has suggested previously elsewhere that fail2ban
>> might be a good option for preventing these sorts of attacks as
>> it will block access to the server from that IP. Obviously if
>> someone is intent on attacking they will do so from multiple IPs,
>> so it won't be perfect, but nothing is.
>>
>> -Nick
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
Re: Captcha on guacamole login
Posted by ivanmarcus <iv...@yahoo.com.INVALID>.
I highly recommend fail2ban.
If you do implement it then I suggest you consider including the
recidive option.
Attached are two plots, one showing current fail2ban blacklisted ip's
(including recidive), and one showing the effect of introducing recidive
last year...
On 20/03/2020 8:18 a.m., Guilherme Carvalho wrote:
> Yes, you´re right, i am looking for fail2ban right now, but the
> captcha would be perfect, the first login user password and captcha,
> than the TOTP.
>
> Thanks Nick.
>
> Em qui., 19 de mar. de 2020 às 15:29, Nick Couchman <vnick@apache.org
> <ma...@apache.org>> escreveu:
>
> On Thu, Mar 19, 2020 at 12:12 PM Guilherme Carvalho
> <gccarvalho@gmail.com <ma...@gmail.com>> wrote:
>
> Hello guys, i have a doubt, is it possible to setup a Captcha
> on the first login page??
>
>
> I have no doubt this would be possible. There's no out-of-the-box
> way to do it, today, but I would think an extension could be
> written to allow it to function very similarly to TOTP or RADIUS
> with MFA.
>
> I´m using LDAP + TOTP, but the problems is, if somebody tried
> to connect many times with an user on the guacamole, this
> account got blocked on the AD, so many services will stop and
> i couldn´t connect.
>
>
> I think Mike has suggested previously elsewhere that fail2ban
> might be a good option for preventing these sorts of attacks as it
> will block access to the server from that IP. Obviously if
> someone is intent on attacking they will do so from multiple IPs,
> so it won't be perfect, but nothing is.
>
> -Nick
>
Re: Captcha on guacamole login
Posted by Guilherme Carvalho <gc...@gmail.com>.
Yes, you´re right, i am looking for fail2ban right now, but the captcha
would be perfect, the first login user password and captcha, than the TOTP.
Thanks Nick.
Em qui., 19 de mar. de 2020 às 15:29, Nick Couchman <vn...@apache.org>
escreveu:
> On Thu, Mar 19, 2020 at 12:12 PM Guilherme Carvalho <gc...@gmail.com>
> wrote:
>
>> Hello guys, i have a doubt, is it possible to setup a Captcha on the
>> first login page??
>>
>
> I have no doubt this would be possible. There's no out-of-the-box way to
> do it, today, but I would think an extension could be written to allow it
> to function very similarly to TOTP or RADIUS with MFA.
>
>
>> I´m using LDAP + TOTP, but the problems is, if somebody tried to connect
>> many times with an user on the guacamole, this account got blocked on the
>> AD, so many services will stop and i couldn´t connect.
>>
>>
> I think Mike has suggested previously elsewhere that fail2ban might be a
> good option for preventing these sorts of attacks as it will block access
> to the server from that IP. Obviously if someone is intent on attacking
> they will do so from multiple IPs, so it won't be perfect, but nothing is.
>
> -Nick
>
>>
Re: Captcha on guacamole login
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Mar 19, 2020 at 12:12 PM Guilherme Carvalho <gc...@gmail.com>
wrote:
> Hello guys, i have a doubt, is it possible to setup a Captcha on the first
> login page??
>
I have no doubt this would be possible. There's no out-of-the-box way to
do it, today, but I would think an extension could be written to allow it
to function very similarly to TOTP or RADIUS with MFA.
> I´m using LDAP + TOTP, but the problems is, if somebody tried to connect
> many times with an user on the guacamole, this account got blocked on the
> AD, so many services will stop and i couldn´t connect.
>
>
I think Mike has suggested previously elsewhere that fail2ban might be a
good option for preventing these sorts of attacks as it will block access
to the server from that IP. Obviously if someone is intent on attacking
they will do so from multiple IPs, so it won't be perfect, but nothing is.
-Nick
>