On Wed, Sep 24, 2025 at 1:26 PM Michael Jumper <[email protected]> wrote:
> On September 24, 2025 5:52:20 AM PDT, Nick Couchman <[email protected]> > wrote: > >On Mon, Sep 22, 2025 at 7:22 PM Ares Li <[email protected]> wrote: > > > >> Hello community, > >> > >> I know in 1.6.0 the failed login attempts will ban the IP by default, > but > >> this would not make sense in the scenario that users are under VPN. I am > >> wondering if we (will) support banning username instead of a public > facing > >> IP. > >> > >> > >Hello, Ares, > >Your point is well-taken that it would probably be useful to have a > >feature, either in the JDBC module or in the Ban module, to lock out > >accounts based on failed login attempts, as is common for authentication > >systems. I actually thought we already had that functionality in the JDBC > >account, but apparently I was mistaken, so I think a feature request and > >work to implement that would be in order. > > > > If considering username instead of IP, I would be concerned that a > malicious user could trivially leverage that behavior to deny a specific, > known user access to Guacamole. There'd need to be some reliable, > out-of-band mechanism for the real user to come back, verify themselves, > and regain access to their account. > > Good points - I didn't think about that. I was thinking about the fact that it's more likely that a real attacker will try multiple usernames to try to circumvent any sort of a per-user lockout, but didn't think about there being certain situations where a user is targeted. > We could consider _both_ username and IP, optionally flagging repeated > failed attempts to authenticate as problematic only if also against the > same account. That might avoid both cases, but would be arguably weaker > than banning purely IPs. > > I think having this as an option would be good - I do think the default of the IP-based approach is probably good for most situations, particularly where Guacamole is exposed to the Internet, as it avoids both the short-fall of targeting a particular user and that of attacking the system via multiple user accounts. But, I do see the original use-case of having situations where you may lack visibility into the actual source IP address of the clients. -Nick
