diff --git a/1-setup.sh b/1-setup.sh index 2b0c160..4961f6f 100644 --- a/1-setup.sh +++ b/1-setup.sh @@ -120,6 +120,7 @@ GUAC_DB="" # If blank "" default is guacamole_db GUAC_USER="" # If blank "" default is guacamole_user MYSQL_ROOT_PWD="" # Manadatory entry here or at script prompt GUAC_PWD="" # Manadatory entry here or at script prompt +GUACD_ACCOUNT="guacd" # Service account guacd will run under (and will be very heavily locked down) DB_TZ=$(cat /etc/timezone) # Blank "" defaults to UTC, for local timezone: $(cat /etc/timezone) INSTALL_TOTP="" # Add TOTP MFA extension (true/false), can't be installed simultaneously with DUO) INSTALL_DUO="" # Add DUO MFA extension (true/false, can't be installed simultaneously with TOTP) @@ -146,6 +147,7 @@ BACKUP_RETENTION="30" # Days to keep SQL backups locally RDP_SHARE_HOST="" # Custom RDP host name shown in Windows Explorer (eg. "RDP_SHARE_LABEL on RDP_SHARE_HOST"). Blank "" = $SERVER_NAME RDP_SHARE_LABEL="RDP Share" # Custom RDP shared drive name in Windows Explorer (eg. "RDP_SHARE_LABEL on RDP_SHARE_HOST" eg. "your RDP share name on server01" RDP_PRINTER_LABEL="RDP Printer" # Custom RDP printer name shown in Windows +CRON_DENY_FILE="/etc/cron.deny" # Distro's cron deny file ####################################################################################################################### # Download GitHub setup scripts. BEFORE RUNNING SETUP, COMMENT OUT DOWNLOAD LINES OF ANY SCRIPTS YOU HAVE EDITED ! #### @@ -691,6 +693,7 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh +sed -i "s|GUACD_ACCOUNT=|GUACD_ACCOUNT='${GUACD_ACCOUNT}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh sed -i "s|RDP_SHARE_HOST=|RDP_SHARE_HOST='${RDP_SHARE_HOST}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh sed -i "s|RDP_SHARE_LABEL=|RDP_SHARE_LABEL='${RDP_SHARE_LABEL}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh @@ -756,6 +759,7 @@ export GUAC_DB=$GUAC_DB export GUAC_USER=$GUAC_USER export MYSQL_ROOT_PWD="${MYSQL_ROOT_PWD}" export GUAC_PWD="${GUAC_PWD}" +export GUACD_ACCOUNT=$GUACD_ACCOUNT export DB_TZ="${DB_TZ}" export INSTALL_TOTP=$INSTALL_TOTP export INSTALL_DUO=$INSTALL_DUO @@ -782,6 +786,7 @@ export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}" export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}" export LOCAL_DOMAIN=$LOCAL_DOMAIN export DOMAIN_SUFFIX=$DOMAIN_SUFFIX +export CRON_DENY_FILE=$CRON_DENY_FILE # Run the Guacamole install script (with all exported variables from this current shell) sudo -E ./2-install-guacamole.sh diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index b1a9141..dc0897c 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -268,19 +268,31 @@ rm -rf /etc/guacamole/extensions/ mkdir -p /etc/guacamole/lib/ mkdir -p /etc/guacamole/extensions/ -# Setup freerdp profile permissions for storing certificates -mkdir -p /usr/sbin/.config/freerdp -chown daemon:daemon /usr/sbin/.config/freerdp +# Create a custom guacd service account and heavily lock it down +adduser "${GUACD_ACCOUNT}" --disabled-password --disabled-login --gecos "" > /dev/null 2>&1 +gpasswd -d "${GUACD_ACCOUNT}" users > /dev/null 2>&1 +echo -e "\nMatch User ${GUACD_ACCOUNT}\n X11Forwarding no\n AllowTcpForwarding no\n PermitTTY no\n ForceCommand cvs server" | sudo tee -a /etc/ssh/sshd_config > /dev/null 2>&1 +systemctl restart sshd +touch "${CRON_DENY_FILE}" +chmod 644 "${CRON_DENY_FILE}" +chown root:root "${CRON_DENY_FILE}" +if ! grep -q "^${GUACD_ACCOUNT}$" "${CRON_DENY_FILE}"; then + echo "$GUACD_ACCOUNT" | sudo tee -a "$CRON_DENY_FILE" > /dev/null 2>&1 +fi -# Setup correct permissions for history recorded storage feature +# Setup freerdp profile permissions for storing certificates +mkdir -p /home/"${GUACD_ACCOUNT}"/.config/freerdp +chown ${GUACD_ACCOUNT}:${GUACD_ACCOUNT} /home/"${GUACD_ACCOUNT}"/.config/freerdp + +# Setup guacamole permissions mkdir -p /var/guacamole -chown daemon:daemon /var/guacamole +chown "${GUACD_ACCOUNT}":"${GUACD_ACCOUNT}" /var/guacamole # Make and install guacd (Guacamole-Server) -cd guacamole-server-${GUAC_VERSION}/ echo echo -e "${GREY}Compiling Guacamole-Server from source with with GCC $(gcc --version | head -n1 | grep -oP '\)\K.*' | awk '{print $1}'), this might take a few minutes...${GREY}" +cd guacamole-server-${GUAC_VERSION}/ # Skip any deprecated software warnings various distros may throw during build export CFLAGS="-Wno-error" @@ -487,7 +499,7 @@ if [[ "${INSTALL_HISTREC}" = true ]]; then chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${GUAC_VERSION}.jar #Setup the default recording path mkdir -p ${HISTREC_PATH} - chown daemon:tomcat ${HISTREC_PATH} + chown ${GUACD_ACCOUNT}:tomcat ${HISTREC_PATH} chmod 2750 ${HISTREC_PATH} echo "recording-search-path: ${HISTREC_PATH}" >>/etc/guacamole/guacamole.properties if [[ $? -ne 0 ]]; then @@ -690,6 +702,9 @@ fi # Ensure guacd is started echo -e "${GREY}Starting guacd service & enable at boot..." +# Update the systemd unit file the default daemon to the chosen service account +sudo sed -i "s/\bdaemon\b/${GUACD_ACCOUNT}/g" /etc/systemd/system/guacd.service +systemctl daemon-reload systemctl enable guacd systemctl stop guacd 2>/dev/null systemctl start guacd diff --git a/README.md b/README.md index bf4667f..e4e4c52 100644 --- a/README.md +++ b/README.md @@ -4,17 +4,16 @@ -## Introduction - -This project allows you to easily set up a Guacamole jump-host for secure remote access. - -

+## Introduction + +This project allows you to easily set up a Guacamole jump-host for secure remote access. + This modular suite of build and management scripts makes provisioning a secure Guacamole jump server a breeze. It supports TLS reverse proxy (self-signed or Let's Encrypt), Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, a custom UI theme creation tool & template (dark themed), auto database backup, email alerts, internal security hardening options, and a fail2ban policy for defence against brute force attacks. The suite also includes code for an enterprise deployment similar to [Amazon's Guacamole Bastion Cluster](http://netcubed-ami.s3-website-us-east-1.amazonaws.com/guaws/v2.3.1/cluster/). ## Automatic Installation diff --git a/upgrade-guacamole.sh b/upgrade-guacamole.sh index 3eb2fe4..2883619 100644 --- a/upgrade-guacamole.sh +++ b/upgrade-guacamole.sh @@ -78,6 +78,7 @@ MYSQL_ROOT_PWD= RDP_SHARE_HOST= RDP_SHARE_LABEL= RDP_PRINTER_LABEL= +GUACD_ACCOUNT= # Standardise on a distro version identification lexicon source /etc/os-release @@ -342,16 +343,20 @@ for file in /etc/guacamole/extensions/guacamole-history-recording-storage*.jar; fi done -# Setup freerdp profile permissions for storing certificates -mkdir -p /usr/sbin/.config/freerdp -chown daemon:daemon /usr/sbin/.config/freerdp - -# Setup correct permissions for history recorded storage feature -mkdir -p /var/guacamole -chown daemon:daemon /var/guacamole - # Bring guacd and Tomcat back up echo -e "${GREY}Starting guacd and Tomcat services..." + +# Reset freerdp profile permissions for storing certificates +mkdir -p /home/"${GUACD_ACCOUNT}"/.config/freerdp +chown ${GUACD_ACCOUNT}:${GUACD_ACCOUNT} /home/"${GUACD_ACCOUNT}"/.config/freerdp + +# Reset guacamole permissions +mkdir -p /var/guacamole +chown "${GUACD_ACCOUNT}":"${GUACD_ACCOUNT}" /var/guacamole + +# Reset the guacd systemd unit file's default service account +sudo sed -i "s/\bdaemon\b/${GUACD_ACCOUNT}/g" /etc/systemd/system/guacd.service +systemctl daemon-reload systemctl enable guacd systemctl start guacd systemctl start ${TOMCAT_VERSION}