You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Tom Schoonjans <to...@me.com.INVALID> on 2021/02/04 15:59:28 UTC
Blocking REST API requests
Hi,
I noticed recently that one of our guacamole servers is being subject to a brute force attack via the REST API as shown in these logs:
guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:10:57.668 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:00.496 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:01.354 [http-nio-8080-exec-7] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:01.902 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:02.015 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:03.559 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:04.428 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:05.298 [http-nio-8080-exec-7] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:05.378 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:09.072 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:09.569 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:11.507 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:11.529 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.561 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.912 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.916 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:15.345 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:16.986 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:17.984 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:19.545 [http-nio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:20.009 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:21.586 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:21.732 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:23.089 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
Do you have any advice on how to block such IP address automatically after a couple of failed attempts? For ssh I use denyhosts but that doesn’t work for HTTP.
Thanks in advance!
Best,
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Blocking REST API requests
Posted by Sander Vanheule <Sa...@UGent.be>.
Hi Tom,
On Thu, 2021-02-04 at 15:59 +0000, Tom Schoonjans wrote:
> Hi,
>
>
> I noticed recently that one of our guacamole servers is being subject
> to a brute force attack via the REST API as shown in these logs:
>
> guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 141.98.255.144 for user "guacadmin" failed.
[snip]
>
>
> Do you have any advice on how to block such IP address automatically
> after a couple of failed attempts? For ssh I use denyhosts but that
> doesn’t work for HTTP.
It looks like fail2ban also has support for Guacamole [1]. This should
take care of stupid brute-force attacks coming from a single host. You
should also have a look at the recidive jail to block hosts that keep
trying after multiple bans.
Best,
Sander
[1] https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/guacamole.conf