My firewall already has an Intrusion Detection function.Guacamole is behind the firewall and behind the reverse proxy.When you talk about "is running on the public-facing server" are you still talking about Guacamole? Is Failban already configured for Guacamole or do I have to configure it myself?
Il lunedì 19 febbraio 2024 alle ore 08:33:41 CET, Michael Jumper <mjum...@apache.org> ha scritto: On 2/18/24 23:15, Andrea Miconi wrote: > My Guacamole is installed on a PC with Debian 12 and I use it to connect > to my PCs and servers. > Besides G. there is nothing else installed; maybe later I will want to > install Zabbix. > > G. is now behind a firewall with HA-Proxy as reserver proxy. > I wonder if I shouldn't secure the server anyway, for example using UFW > or Failban. > It's always advisable to configure a tool like "fail2ban" - doing so would allow you to automatically block attempts to brute-force login credentials. You will need to make sure that the fail2ban service is running on the public-facing server. Blocking the IP address of a client machine will otherwise have no impact if all client machines are actually your reverse proxy from the perspective of the webapp. Ensuring your system has a functional firewall, whether with UFW or otherwise, should be standard practice. This has little to do with Guacamole, particularly given that you would need to allow access to Guacamole through your firewall anyway. This has more to do with ensuring other services that may be running on your system are not accessible. - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org