Bad form replying to my own post I know but just in case, for the eagle-eyed, you will see the plots I included weren't actually for Guacamole.

The reason for that is simply that while my Guacamole VM's do have fail2ban (and recidive) operational I don't plot their fail2ban data over time.

Obviously I do for postfix and the plots I included were intended simply to show the effect of recidive. Presently I have no blacklisted hosts on Guacamole, partly due to some other measures in use, nevertheless I consider fail2ban an important tool in protecting the system(s).


On 20/03/2020 10:12 a.m., ivanmarcus wrote:

I highly recommend fail2ban.

If you do implement it then I suggest you consider including the recidive option.

Attached are two plots, one showing current fail2ban blacklisted ip's (including recidive), and one showing the effect of introducing recidive last year...


On 20/03/2020 8:18 a.m., Guilherme Carvalho wrote:
Yes, you´re right, i am looking for fail2ban right now, but the captcha would be perfect, the first login user password and captcha, than the TOTP.

Thanks Nick.

Em qui., 19 de mar. de 2020 às 15:29, Nick Couchman <vn...@apache.org <mailto:vn...@apache.org>> escreveu:

    On Thu, Mar 19, 2020 at 12:12 PM Guilherme Carvalho
    <gccarva...@gmail.com <mailto:gccarva...@gmail.com>> wrote:

        Hello guys, i have a doubt, is it possible to setup a Captcha
        on the first login page??


    I have no doubt this would be possible.  There's no
    out-of-the-box way to do it, today, but I would think an
    extension could be written to allow it to function very similarly
    to TOTP or RADIUS with MFA.

        I´m using LDAP + TOTP, but the problems is, if somebody tried
        to connect many times with an user on the guacamole, this
        account got blocked on the AD, so many services will stop and
        i couldn´t connect.


    I think Mike has suggested previously elsewhere that fail2ban
    might be a good option for preventing these sorts of attacks as
    it will block access to the server from that IP.  Obviously if
    someone is intent on attacking they will do so from multiple IPs,
    so it won't be perfect, but nothing is.

    -Nick




---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to