You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by DM...@simard.ca on 2017/08/04 13:24:02 UTC
Guacamole had some type of dos type affect on it from a normal client
Hi
I'm not sure how to post this, but I noticed a short time ago our
Guacamole server (recently upgraded to .0.9.12) was really slow and was
not responding. It has never done this before.
After logging into it via ssh it was responding but quite slow. and when I
checked the stats the mem seemed all used.
I checked the syslog and all i saw was lines of this all day.
Jul 28 14:26:57 server kernel: [617311.261369] TCP: drop open request from
xxx.xxx.xxx.146/57162
Jul 28 14:26:58 server kernel: [617311.393392] TCP: drop open request from
xxx.xxx.xxx.146/57163
Jul 28 14:26:58 server kernel: [617311.527442] TCP: drop open request from
xxx.xxx.xxx.146/57164
Jul 28 14:26:58 server kernel: [617311.645377] TCP: drop open request from
xxx.xxx.xxx.146/57165
Jul 28 14:26:58 server kernel: [617311.777411] TCP: drop open request from
xxx.xxx.xxx.146/57166
Jul 28 14:26:58 server kernel: [617311.909498] TCP: drop open request from
xxx.xxx.xxx.146/57167
I was not sure what was going on or who it may be so I basically quickly
tossed in a rule to block that IP (xxx...) in the unix firewall . After
that Guacamole starting to behave normally again. Ie, responding on the
webserver.
now it seems it was actually one of the users machines . (unless it was a
total coincidence that some tried something from the same ip that happened
to match one of our users at their ISP).
Our system has very low usage and perhaps 1-2 users max at a time. Running
Ubuntu 14.04 with NgineX passing to Tomcat on https only. mysql database
for users.
I could not find much else in the logs at the time and unfortunately they
way the logs seem to be configured I was not able to figure out at the
time what user was using that IP. Where could I look for that by the way.
I noticed the tomcat logs only show an authentication from 127.0.0.1
"""
08:56:42.000 [http-bio-8080-exec-9] INFO
o.a.g.r.auth.AuthenticationService - User "user1" successfully
authenticated from 127.0.0.1.
08:56:46.256 [http-bio-8080-exec-6] INFO o.a.g.tunnel.TunnelRequestService
- User "user1" connected to connection "14".
"""
Any comments here?
/danielm