Well, that was easy. I literally just copied over the jar file and restarted guacd, apache2, and tomcat9. After that I just logged out and back in to enroll in TOTP.
I did find unfortunately that the KeePass app I’m using on Android doesn’t seem to sync things both ways. Entries I create on my phone do not see to be able to sync to google drive, but that just took me a second to work around. It’s not really a big deal but it meant I had to manually enter in the secret key and such. Guac TOTP supports QR codes, and I was able to add it with my phone, but wasn’t able to get it to sync back to my computer(after five minutes of trying). That may be a project for another day.
I’ve decided with all the convience features I’ve got setup on the computers I remote into, that I should probably attempt to setup TOTP on the site to improve the security of the system. The password and username I use hasn’t been involved in any leaks that I know of, and both are unique to the site, plus you’d need the passwords to the actual computers too, but I figure it’s better safe than sorry.
The first step is to configure a database authentication extension. One nice thing about this change is that it will allow me to modify connections and user settings in the web interface, instead of connecting to SSH and modifying an XML file, and then restarting guacd.
The first step is to install the JDBC connector for mysql, which went without a hitch with
Now to create the database, which they are providing scripts to create the schema which saves a whole lot of copy/pasting. So, sign into mysql as root, create the DB, and import the schema.
cweb@thecweb:/media/store/mysql$ sudo mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3362
Server version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE DATABASE guacamole_db;
Query OK, 1 row affected (0.01 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| cwOLzion |
| guacamole_db |
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
7 rows in set (0.00 sec)
mysql> quit
Bye
cweb@thecweb:/media/store/mysql$ cat schema/*.sql | sudo mysql -u root guacamole_db
cweb@thecweb:/media/store/mysql$
Create the DB user.
cweb@thecweb:/media/store/mysql$ sudo mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3371
Server version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '****';
Query OK, 0 rows affected (0.02 sec)
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
Query OK, 0 rows affected (0.01 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
Seems like that went welll, so copying over the JDBC driver and guac extension.
No surprises there, but I’m going to heed this warning message about restarting guac, because I’m at work and I don’t want to kill my session if I have something configured or installed incorrectly.
It’s config time
not sure this really applies since I’ve been using vi since the late 1900s
The basic config is just telling guacd how to connect to the DB, so we just need to specify the DB server, DB, user, and password. So creating the /etc/guacamole/guacamole.properties and adding that info.
And that is it for now. I need to restart the servlet, which will disconnect me, and if I configured things incorrect, also prevent me from signing back in. I’m going to research cooking a turkey for now, and maybe later I will see if this is working. I can always poke holes in the firewall for SSH, and forward port 22, but I’d rather not just because of the immediate hacking attacks that will likely insue.
Part 2
Ok, I got bored with reddit so I poked some holes for SSH and restarted everything, and it came back up fine. Looking at /var/log/auth.log, I was a little surprised to find my paranoia was unfounded and I didn’t see a single authentication attempt during the five minutes my stupid little SSH server was accessible from the internet. Though, I guess it’s pretty unlikely that I would happened to be scanned during that short amount of time.
Now for the bad news… I can’t sign in with the guacadmin account it supposedly created in the DB. To the log files!
I checked the mysql log first, and found not connection attempts. I then checked the tomcat logs and found that the JDBC driver is not loading for some reason.
[2024-11-08 06:41:39] [info] 06:41:39.629 [main] ERROR o.a.g.extension.ProviderFactory - authentication provider extension failed to start: No JDBC driver for MySQL/MariaDB is installed.
So I first go to check permissions on the file and realize that I copied the jar file to /etc/guacamole/extensions/lib instead of /etc/guacamole/lib, so fixing that and restarting everything again.
And it works! I had to recreate my user account and all the connections, but it was a lot easier with the admin GUI.
Fancy that!
Taking another break to read about TOTP setup and reddit.
This evening at work I have decided to enable the firewall on my webserver. It is ofcourse already behind my network firewall, but if one of my other devices gets hack or something, it could become a target. I have been meaning to do it for a while now, but it’s probably been tweenty years since I’ve used iptables to do anything. And Ubuntu has a handly little utility called Uncomplicated Firewall(ufw), which is just a configuration system for iptables. And in keeping with linux development over the last couple decades, this new easier configuration comes with all these lovely config files!
Since I’m doing this at work, I have to make sure I’ve got all the rules configured correctly, or I risk being blocked for the rest of the work shift, so gotta dot my t’s and cross my eye’s.
Checking current config
/etc/default/ufw only had a couple things I might need to change, which are listed below.
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
The .rules files I checked just had some common sense stuff, but I haven’t found a “Drop All” command anywhere in the files. I really need to know if this is configured for default deny or allow, because that changes the order I need to add rules. I’m assuming it’s processed last. I attempted to just enable the firewall but I got a message that it may disconnect my ssh session, so I’ve decided to enter the rules I know I need and hope I don’t get blocked when I enable it.
So, building the commands to add the rules I need, which is HTTP(S) for the webserver, SSH to configure the webserver, and I’ll add some rules for RDP and Samba later, though I’m not sure I really need to because it’s acting as client. Apache and SSH are already defined as applications in /etc/ufw/applications.d.
# add rule for SSH
sudo ufw allow from 192.168.0.0/24 to any app OpenSSH
#add rule for Apache
sudo ufw allow from any to any app "Apache Full"
Unfortunately, it doesn't all me to run the status command without enabling the firewall, so I may have 7-8 hours of boredom if this goes titts up.
Wow, I wasn’t disconnected, so I did things right, or it’s just not blocking anything at all. Time to check the log.
Nothing but this error, so I think I’m good. Not sure why my router is sending this shit, but I’m guessing it’s UNPNP or Multicast something or other. It logs this every 20 seconds.
I’m kind of surpised neither my SSH, RDP, or Apache/Tomcat lost connection when I turned it on, but things seem to be working perfectly…
The status command certialy looks like I did what I inteneded…
cweb@thecweb:/var/log$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN 192.168.0.0/24
80,443/tcp (Apache Full) ALLOW IN Anywhere
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
One last setting to enable at boot and I’m done. Oh, well actually, it turns out that /etc/ufw/ufw.conf is automatically updated to start on boot with the ufw enable command. Cool.
I finally decided to bite the bullet and upgrade my laptop to Windows 11 Pro, so that I could use RDP instead of VNC. The primary reason I did this is to make remote access faster. Not only is the RDP protocol much faster than VNC(prob more secure too), but I’ll be connecting to my laptop, which is much newer, with twice the RAM, some sort of i7 processor, and the wifi card seems a bit stronger.
The config was quite simple after I learned to interpret this gobbledygook below:
Oct 01 19:45:13 thecweb.com guacd[1382772]: Creating new client for protocol "rdp"
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO: Creating new client for protocol "rdp"
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO: Connection ID is "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a"
Oct 01 19:45:13 thecweb.com guacd[1382772]: Connection ID is "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a"
Oct 01 19:45:13 thecweb.com guacd[1382975]: FreeRDP initialization may fail: The current user's home directory ("/usr/sbin") is not writable, but FreeRDP generally requires a writable home directory for storage of configura>
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: WARNING: FreeRDP initialization may fail: The current user's home directory ("/usr/sbin") is not writable, but FreeRDP generally requires a writable home di>
Oct 01 19:45:13 thecweb.com guacd[1382975]: No security mode specified. Defaulting to security mode negotiation with server.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: No security mode specified. Defaulting to security mode negotiation with server.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: Resize method: none
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" joined connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" (1 users now present)
Oct 01 19:45:13 thecweb.com guacd[1382975]: Resize method: none
Oct 01 19:45:13 thecweb.com tomcat9[1382777]: 19:45:13.459 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService - User "cweb" connected to connection "RDP on hp360".
Oct 01 19:45:13 thecweb.com guacd[1382975]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
Oct 01 19:45:13 thecweb.com guacd[1382975]: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" joined connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" (1 users now present)
Oct 01 19:45:13 thecweb.com guacd[1382975]: Loading keymap "base"
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: Loading keymap "base"
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: Loading keymap "en-us-qwerty"
Oct 01 19:45:13 thecweb.com guacd[1382975]: Loading keymap "en-us-qwerty"
Oct 01 19:45:13 thecweb.com guacd[1382975]: Certificate validation failed
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: Certificate validation failed
Oct 01 19:45:13 thecweb.com guacd[1382975]: RDP server closed/refused connection: SSL/TLS connection failed (untrusted/self-signed certificate?)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: RDP server closed/refused connection: SSL/TLS connection failed (untrusted/self-signed certificate?)
Oct 01 19:45:13 thecweb.com guacd[1382975]: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" disconnected (0 users remain)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" disconnected (0 users remain)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO: Last user of connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" disconnected
Oct 01 19:45:13 thecweb.com guacd[1382975]: Last user of connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" disconnected
Oct 01 19:45:13 thecweb.com tomcat9[1382777]: 19:45:13.855 [http-nio-8080-exec-3] INFO o.a.g.tunnel.TunnelRequestService - User "cweb" disconnected from connection "RDP on hp360". Duration: 396 milliseconds
Oct 01 19:45:13 thecweb.com guacd[1382772]: Connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" removed.
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO: Connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" removed.
The bolded lines are what I needed to figure this out. Really it was quite obvious where that error was coming from once I decided to try to connect from a Windows PC. Seasoned admins should be familiar with the message below:
And it turns out that Guacamole has not way of dealing with this at login. So I added the bolded param to the config file and restarted things and boom goes the dynamite.
Now, I did spend a little bit more time on an error above the one about issues writing to /usr/sbin. A red herring to be sure. Maybe I should have paid more attention to the fact that the error says it maycause issues, not that it will cause issues. After I changed permissions to /usr/sbin/.config so that the Freerdp client could write there, the error persists, but it is still writing config files there, so not sure. I only mention it because it wasted like 30 minutes of my time.
Guacamole is incredibly configurable and can be unforgiving. After going through the instructions I was curious exactly how long the instructions were so I pretended to print it. 56 pages. Lucky for me I’m just in the testing phase and I found that all I really needed to confirm it works was to create user-mapping.xml in /etc/guacamole.
<user-mapping>
<!-- Per-user authentication and config information -->
<authorize username="cweb" password="<password>">
<connection name="SSH to thecweb.com">
<protocol>ssh</protocol>
<param name="hostname">localhost</param>
<param name="port">22</param>
<param name="username">cweb</param>
<param name="enable-sftp">true</param>
</connection>
</authorize>
</user-mapping>
It took like an hour to get this far. I still need to setup VNC on my one of my Windows systems and go through some steps to secure this colander I call a server. But I’m done for today.
so it looks like all the dependencies installed correctly. make completed without errors so now make install.
sudo make install completed without errors, so I just need to sudo ldconfig to update the system library cache. And add the server to systemd.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo guacd
guacd[24340]: INFO: Guacamole proxy daemon (guacd) version 1.5.5 started
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Failed to enable unit: Unit file guacd.service does not exist.
Shit. Looks like I didn’t include the option –with-init-dir=/etc/init.d when I ran configure, so we’re going to be repeating a few steps. It’s important to actually read install instructions and not just skim them.
Shit. I want to use systemd not initd. And the instructions don’t say what the option is for that. Rather than guessing we’ll just do this
cweb@thecweb:/tmp/guacamole-server-1.5.5$ cat configure | grep systemd
systemd_dir
with_systemd_dir
--with-systemd-dir=<path>
install systemd units to the given directory
# Check whether --with-systemd_dir was given.
if test ${with_systemd_dir+y}
withval=$with_systemd_dir; systemd_dir=$withval
if test "x${systemd_dir}" != "x"; then
build_systemd="${systemd_dir}"
build_systemd=no
Systemd units: ${build_systemd}
I probably could have guessed that.
Now that I’ve got that redone, I was still getting an error because I gave the path as /etc/systemd instead of /etc/systemd/system, but that was easy to fix. We are now in business.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo mv /etc/systemd/guacd.service /etc/systemd/system/guacd.s
ervice
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Created symlink /etc/systemd/system/multi-user.target.wants/guacd.service β /etc/systemd/system/guacd.service.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl start guacd
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl status guacd
β guacd.service - Guacamole Server
Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2024-07-29 20:17:11 UTC; 7s ago
Docs: man:guacd(8)
Main PID: 41937 (guacd)
Tasks: 1 (limit: 9251)
Memory: 10.0M
CPU: 10ms
CGroup: /system.slice/guacd.service
ββ41937 /usr/local/sbin/guacd -f
Jul 29 20:17:11 thecweb.com systemd[1]: Started Guacamole Server.
Jul 29 20:17:11 thecweb.com guacd[41937]: Guacamole proxy daemon (guacd) version 1.5.5 started
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO: Guacamole proxy daemon (guacd) ver>
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO: Listening on host 127.0.0.1, port >
Jul 29 20:17:11 thecweb.com guacd[41937]: Listening on host 127.0.0.1, port 4822
cweb@thecweb:/tmp/guacamole-server-1.5.5$
The guacamole-client files and extensions are just java files that they provide precompiled, so I’m just going to do that. I’m just going to copy over the client without extensions now because I’m not sure which ones I want to use yet.
Yay! It’s working! No, wait. It’s not started, and starting it gives me an error. I messed around with trying to figure out what was wrong for a little while and then just tried Undeploy and then deployed it through the app manager using the link below, and now it’s started.
Yay!!!!!!!!!!!!!!!!! π₯³πΎπΊ
Now I need to configure it behind a reverse proxy using the instructions here. This isn’t required but it enhances the system security by allowing the applet to run without root, and allows be to access Guacamole over port 443 instead of 8080. Which is good because I don’t need to poke another hole in my firewall and it should also help hide the traffic from big brother while I’m at work.
Step one is to add the bolded lines to the Tomcat server config file at /etc/tomcat9/server.xml. This is to handle non-Latin characters. So I probably don’t really NEED it but that is what the docs say.
In the same file I need to add this stuff so Tomcat can get the remote client’s IP address. Without this it will only see the reverse proxy’s IP. If you’re curious why this is needed there are several paragraphs in the proxy instructions explaining it under the heading “Setting up the Remote IP Valve”.
Now I need to enable the modules to add reverse proxy support in Apache.
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy
Enabling module proxy.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_wstunnel
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Enabling module proxy_wstunnel.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo systemctl restart apache2
cweb@thecweb:/etc/tomcat9$
For the site configuration I need to add the below to /etc/apache2/sites-enabled/chrisweber.online-le-ssl.conf to tell Apache use the reverse proxy to access Tomcat when the specific URL Location is requested.
<Location /sneakypete/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/sneakypete/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/sneakypete/
</Location>
<Location /sneakypete/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/sneakypete/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/sneakypete//websocket-tunnel
Shit! I’m getting a 404 error when trying to access https://thecweb.com/sneakypete. It’s embarrising how long this took me to fix. Probably half an hour of looking at the Guacamole manuals and the mod_proxy documentation, and then another half an hour of googling with no resolution in site I thought maybe I actually need to create the directory that location is referring to? Yup… I miss understood what the Location directive actually does. I thought it just mapped the URL to the directives without referencing the servers filesystem. Nope. If the directory doesn’t exist, Apache doesn’t even go that far. So a simple “sudo mkdir sneakypete” in the site’s /var/www directory and now I’ve got the login page. Reverse proxy is working!
I think I’m done for the day. If not there will be a 3.5 post after I’ve cleared my head.
Ok, back at it. I’m starting at the dependencies section in the Guacamole manual here. I think I’ll just use this page to build the command to make things easy. I probably already have a bunch of these installed, but apt will sort that out for me. Much quicker than stare and compare. I’m pretty much installing all required and optional dependencies. The optional ones I know I need are for RDP, VNC, and SSH support. I’m not sure if I’ll ever use telenet, session recording, or audio over VNC, but it’s nice to have the option.
And this is what I got. The dependencies have dependencies, which also have dependencies, and those dependencies also have dependencies… I should have just gone with docker, but I’m only working with 100 GB of space, and I need that extra ~1 ms of speed I get from bare metal.
I had to remove like ten packages from the suggested list because apt couldn’t find them. Crap I didn’t need anyway like nvidia and cuda libraires. Wait, did I just fucking install fortran?
Setting up gfortran-11 (11.4.0-1ubuntu1~22.04) ...
Setting up gfortran (4:11.2.0-1ubuntu1) ...
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f95 (f95) in auto mode
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f77 (f77) in auto mode
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
Guess so…
It’s quarter past ten at night and I’m tired and hungry. And if installing packages was this much of a pain then I really don’t want to start compiling Guacamole from source right now. Glancing over what I’ve wrote it really doesn’t look like it took that long, but there was a lot of trial and error figuring out which packages Ubuntu didn’t have. Probably would have been quicker to just add the nvidia repository instead of playing wack-a-mole by removing the packages one by one. But that would have messed up my pure FOSS system with that evil closed source nvidia software.
