A while back I wrote a quick article about how to run Guacamole in a Docker container. By using a docker-compose file and containers, it’s really easy to set a web based access to your computing resources. However, there are a few things you may want to do to secure access to your Guacamole site. After all, this portal grants RDP or SSH access to servers, and should be kept as secure as those protocols.
Redirecting the main page
One of the lines from the compose file was redirecting the main index file to a local one. The point here is to disable the default Tomcat website from showing up on your server if you go to http://server-name/ instead of http://server-name/guacamole/.
If you want to redirect users automatically, you can put this HTML code inside of the /usr/local/tomcat/webapps/ROOT/index.jsp file:
<meta http-equiv="refresh" content="0;URL='/guacamole/'"/>
Disabling the ‘guacadmin’ user
Unless you have a regular need to setup different users and connections, one thing you can do is create your connections, setup users who only have access to specific connections, and then disable the ‘guacadmin’ user until you need it again. This will prevent someone from brute forcing this admin user and possibly create additional users or permissions.
If you use the compose script from the previous article, then your users are listed in the MySQL database called guacamole. The first user has an id of 1 and all you need to do is change the column disabled to the value you need. These are two scripts you can use to do this from a command line:
disable_guacadmin.sh
#!/bin/bash
docker exec -it guac_mysql_1 mysql -u root -p guacamole -e "UPDATE guacamole_user SET disabled=1 WHERE user_id=1;"
enable_guacadmin.sh
#!/bin/bash
docker exec -it guac_mysql_1 mysql -u root -p guacamole -e "UPDATE guacamole_user SET disabled=0 WHERE user_id=1;"
By disabling the administrative user’s web access, you help secure your server until you need to use this user again. When running these scripts, you will need to input your MySQL’s root password from the initial installation.
Using two-factor authentication
In a previous article, I wrote about how to use the Google Authenticator for local logins on CentOS 7. This allows the SSH process to ask not only your password but also a rotating token in order to login. However, Guacamole doesn’t support this type of multi-level password prompts. So instead of disabling two-factor authentication on your servers, one thing you could do is disable password authentication. Since users already have to authenticate with a username and a password on Guacamole, it makes sense to use the server’s individual password prompt to ask the token instead. This way, you still retain two factors.
In order to disable the password prompt and leave only the Google
Authenticator prompt for logins that come from your Guacamole server,
you need to add the following line to the /etc/pam.d/sshd file, just before the auth substack password-auth line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-no-authenticator.conf
This basically means that if the user matches what’s in this config
file, then ignore the next line and assume a successful login. Then in
the /etc/security/access-no-authenticator.conf file, you can add this:
+:ALL:172.16.0.0/12
-:ALL:ALL
This allows all users to match if they come from this specific
address range, which is what Docker uses by default. If they are from
another IP address, then this will fail and the user will be asked for
their password as usual. Note however that this assumes that all your
users have a Google Authenticator token set. Otherwise, you may want to
change the first ALL for a specific username.