My firewall already has an Intrusion Detection function.Guacamole is behind
the firewall and behind the reverse proxy.When you talk about "is running on
the public-facing server" are you still talking about Guacamole?
Is Failban already configured for Guacamole or do I have to configure it myself?
Il lunedì 19 febbraio 2024 alle ore 08:33:41 CET, Michael Jumper
<mjum...@apache.org> ha scritto:
On 2/18/24 23:15, Andrea Miconi wrote:
> My Guacamole is installed on a PC with Debian 12 and I use it to connect
> to my PCs and servers.
> Besides G. there is nothing else installed; maybe later I will want to
> install Zabbix.
>
> G. is now behind a firewall with HA-Proxy as reserver proxy.
> I wonder if I shouldn't secure the server anyway, for example using UFW
> or Failban.
>
It's always advisable to configure a tool like "fail2ban" - doing so
would allow you to automatically block attempts to brute-force login
credentials.
You will need to make sure that the fail2ban service is running on the
public-facing server. Blocking the IP address of a client machine will
otherwise have no impact if all client machines are actually your
reverse proxy from the perspective of the webapp.
Ensuring your system has a functional firewall, whether with UFW or
otherwise, should be standard practice. This has little to do with
Guacamole, particularly given that you would need to allow access to
Guacamole through your firewall anyway. This has more to do with
ensuring other services that may be running on your system are not
accessible.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
