You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Tom Schoonjans <to...@me.com.INVALID> on 2021/02/04 15:59:28 UTC

Blocking REST API requests

Hi,


I noticed recently that one of our guacamole servers is being subject to a brute force attack via the REST API as shown in these logs:

guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:10:57.668 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:00.496 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:01.354 [http-nio-8080-exec-7] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:01.902 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:02.015 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:03.559 [http-nio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:04.428 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:05.298 [http-nio-8080-exec-7] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:05.378 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:09.072 [http-nio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:09.569 [http-nio-8080-exec-5] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:11.507 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:11.529 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.561 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.912 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:13.916 [http-nio-8080-exec-5] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:15.345 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:16.986 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:17.984 [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:19.545 [http-nio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:20.009 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:21.586 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:21.732 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.
guacamole_compose | 13:11:23.089 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 141.98.255.144 for user "guacadmin" failed.


Do you have any advice on how to block such IP address automatically after a couple of failed attempts? For ssh I use denyhosts but that doesn’t work for HTTP.

Thanks in advance!

Best,

Tom



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Blocking REST API requests

Posted by Sander Vanheule <Sa...@UGent.be>.

Hi Tom,

On Thu, 2021-02-04 at 15:59 +0000, Tom Schoonjans wrote:
> Hi,
> 
> 
> I noticed recently that one of our guacamole servers is being subject
> to a brute force attack via the REST API as shown in these logs:
> 
> guacamole_compose | 13:10:56.987 [http-nio-8080-exec-6] WARN 
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 141.98.255.144 for user "guacadmin" failed.
[snip]
> 
> 
> Do you have any advice on how to block such IP address automatically
> after a couple of failed attempts? For ssh I use denyhosts but that
> doesn’t work for HTTP.

It looks like fail2ban also has support for Guacamole [1]. This should
take care of stupid brute-force attacks coming from a single host. You
should also have a look at the recidive jail to block hosts that keep
trying after multiple bans.

Best,
Sander

[1] https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/guacamole.conf