I have considered LDAP, just the scope of converting so many
machines is more than a little intimidating for one person. I do not
have a staff, just me.
I am trying to create one of two scenarios:
1) A customer using guacamole can login to it with the same
credentials he uses for servers, e-mail, x2go, vnc, etc.
2) A customer logs in via apache and bypasses authentication at
guacamole. In this case apache logs failures, and I realize tomcat can
as well but I have a jail for apache and not for tomcat and I don't do
well at creating regular expressions as interpreted by fail2ban which
has a lot of it's own unique matching rules. I've done it successfully
before but I'm getting old and would rather not go bald.
3) If neither of the above solutions can be made to work, then the
customer goes straight into the host selection page but with the IP he
is originating at, not the IP of the web server, so that failed logins
are collected and repeat offending IPs blocked and really of the three
this is the most convenient for the customer and the preferred one but
since I don't know how to make tomcat pass through the originating IP
it's problematic. If I could get this to work though it has some
marketing advantage, as I could configure a virtual domain with a local
non-routable IP address that the web server can talk to but that's it,
and configure Ubuntu with a guest account (where nothing is saved after
the session), the local address limiting the ability to get out on the
net and use it for DOS attacks, etc. I think it would be a cool
marketing ploy.
On 8/2/23 01:08, Ivanmarcus wrote:
Thanks Robert, FWIW I was responding to your earlier post which said:
"If I can figure out how to get tomcat to pass the IP to guacamole so
when someone logs into a server via guacamole it correctly logs the
originator IP and failed logins that will work also but I am utterly
unfamiliar with tomcat"
Which I took to mean you wanted the connection data that's already
provided in the referenced log? You could of course run a fail2ban
recipe for Tomcat.
So while I have probably got the wrong end of your meaning I do
understand that you're still trying to deal with the noauth issue ..
to that end I don't suppose you've thought about LDAP as a common
system across your various options? Guacamole has an option for that
(https://guacamole.apache.org/doc/gug/ldap-auth.html), and although
I've not had occasion to use it myself I understand various people are
doing so successfully.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
