diff --git a/1-setup.sh b/1-setup.sh index 83d82ef..e549211 100644 --- a/1-setup.sh +++ b/1-setup.sh @@ -438,7 +438,7 @@ fi echo -e ${GREY} # Prompt for preferred backup notification email address -if [[ -z ${BACKUP_EMAIL} ]]; then +if [ -z ${BACKUP_EMAIL} ]; then while true; do read -p "SQL: Enter email address for SQL backup messages [Enter to skip]: " BACKUP_EMAIL [ "${BACKUP_EMAIL}" = "" ] || [ "${BACKUP_EMAIL}" != "" ] && break diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index b2bec3c..45f6e02 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -615,7 +615,7 @@ fi if [ "${CHANGE_ROOT}" = true ]; then echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}" systemctl stop ${TOMCAT_VERSION} - mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html index.html.old + mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp echo "<% response.sendRedirect(\"/guacamole\");%>" >>/var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp systemctl start ${TOMCAT_VERSION} @@ -663,7 +663,6 @@ if [ $? -ne 0 ]; then exit 1 else echo -e "${LGREEN}OK${GREY}" - echo fi # Done diff --git a/README.md b/README.md index 9218aee..e4e688e 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,11 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh ``` -## Prerequisites +## Prerequisites (Debian 12 now working!) **Before diving in, make sure you have:** -- A compatible OS: Ubuntu 18.04 - 22.x, Debian 10 or 11, or Raspbian Buster/Bullseye (If using vendor cloud images stick to stable releases). +- A compatible OS: Ubuntu 18.04 - 22.x, Debian 10, 11 or 12, or Raspbian Buster/Bullseye (If using vendor cloud images stick to stable releases). - Minimum 8GB RAM and 40GB HDD. - DNS entries matching your default appliance network interface IP (essential for TLS). - Open TCP ports: 22, 80, and 443. diff --git a/useful-config-info.txt b/guac-management/useful-config-info.txt similarity index 97% rename from useful-config-info.txt rename to guac-management/useful-config-info.txt index ea8c1c5..0fcd285 100644 --- a/useful-config-info.txt +++ b/guac-management/useful-config-info.txt @@ -1,92 +1,92 @@ -######################### -Connection setup tips: -######################### -# Quick connection syntax (Windows 10 RDP) - rdp://user@xxx.xxx.xxx.xxx/?security=nla&ignore-cert=true - -# To view links to recorded sessions from within the connection history page: - 1. Install the history-recording-storage option - 2. For each connection configuration profile, in the Screen Recording section set: - Recording Path = ${HISTORY_PATH}/${HISTORY_UUID} - Automatically create recording path = tick - -# To create a quasi SSO pass through for LDAP and others, for each connection configuration profile: - Add ${GUAC_USERNAME} to the Username field for each connection profile - Add ${GUAC_PASSWORD} to the Password field for each connection profile - - -#################### -Guacamole Debug mode -#################### -sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f #Verbose logs will start in the console. - - -################################################ -Switch to Debian Testing repo -(upgrade/bugfix beyond a current stable package) -################################################ -sudo apt update && sudo apt upgrade -y # Update first -sudo cp /etc/apt/sources.list sources.list.backup # Backup sources list -sudo sed -i 's/bullseye/testing/g' /etc/apt/sources.list # Switch to testing - -sudo nano /etc/apt/sources.list # Now manually edit - comment out all lines having "security.debian.org" - comment out all lines that end with "updates" - add this line: deb http://security.debian.org testing-security main - -sudo apt update && sudo apt-get install --only-upgrade libssh2-1-dev # update an individual package - - - -############################################### -Audit Guacamole Connections and User access. -############################################### -mysql -u root -p guacamole_db -select - guacamole_entity.name, - guacamole_connection.connection_name, - guacamole_connection_permission.permission -from - guacamole_connection - left join guacamole_connection_permission on guacamole_connection_permission.connection_id = guacamole_connection.connection_id - left join guacamole_entity on guacamole_entity.entity_id = guacamole_connection_permission.entity_id -where - guacamole_connection_permission.permission = 'READ' - and guacamole_entity.name != 'guacadmin'; -Quit to exit - - -############################################### -# Manually reset TOTP configuration for a user -############################################### -# This is likely not needed beyond in Gucamole 1.40 as the gui provides an option to reset. Kept for reference. -mysql -u root -p -use guacamole_db; -SELECT user_id FROM guacamole_user INNER JOIN guacamole_entity ON guacamole_entity.entity_id = guacamole_user.entity_id WHERE guacamole_entity.name = 'guacadmin'; -UPDATE guacamole_user_attribute SET attribute_value='false' WHERE attribute_name = 'guac-totp-key-confirmed' and user_id = '1'; -quit; - - -############################################### -# Quick troubleshoot SQL commands -############################################### -# Login -sudo mysql -u root -p - -# Check time zone -SELECT @@time_zone; - -# Rename user from local to remove access -use guacamole_db; -RENAME USER '${GUAC_USER}'@'%' TO '${GUAC_USER}'@'xx.xx.xx.%'; - -# Check user access -SELECT user,host FROM mysql.user; -SHOW GRANTS FOR guacamole_user; - -######################### -Nginx load / DoS testing -######################### -https://ourcodeworld.com/articles/read/949/how-to-perform-a-dos-attack-slow-http-with-slowhttptest-test-your-server-slowloris-protection-in-kali-linux -slowhttptest -c 10000 -H -g -o ./output_file -i 3 -r 500 -t GET -u http://jumpbox.domain.com -x 24 -p 2 - +######################### +Connection setup tips: +######################### +# Quick connection syntax (Windows 10 RDP) + rdp://user@xxx.xxx.xxx.xxx/?security=nla&ignore-cert=true + +# To view links to recorded sessions from within the connection history page: + 1. Install the history-recording-storage option + 2. For each connection configuration profile, in the Screen Recording section set: + Recording Path = ${HISTORY_PATH}/${HISTORY_UUID} + Automatically create recording path = tick + +# To create a quasi SSO pass through for LDAP and others, for each connection configuration profile: + Add ${GUAC_USERNAME} to the Username field for each connection profile + Add ${GUAC_PASSWORD} to the Password field for each connection profile + + +#################### +Guacamole Debug mode +#################### +sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f #Verbose logs will start in the console. + + +################################################ +Switch to Debian Testing repo +(upgrade/bugfix beyond a current stable package) +################################################ +sudo apt update && sudo apt upgrade -y # Update first +sudo cp /etc/apt/sources.list sources.list.backup # Backup sources list +sudo sed -i 's/bullseye/testing/g' /etc/apt/sources.list # Switch to testing + +sudo nano /etc/apt/sources.list # Now manually edit + comment out all lines having "security.debian.org" + comment out all lines that end with "updates" + add this line: deb http://security.debian.org testing-security main + +sudo apt update && sudo apt-get install --only-upgrade libssh2-1-dev # update an individual package + + + +############################################### +Audit Guacamole Connections and User access. +############################################### +mysql -u root -p guacamole_db +select + guacamole_entity.name, + guacamole_connection.connection_name, + guacamole_connection_permission.permission +from + guacamole_connection + left join guacamole_connection_permission on guacamole_connection_permission.connection_id = guacamole_connection.connection_id + left join guacamole_entity on guacamole_entity.entity_id = guacamole_connection_permission.entity_id +where + guacamole_connection_permission.permission = 'READ' + and guacamole_entity.name != 'guacadmin'; +Quit to exit + + +############################################### +# Manually reset TOTP configuration for a user +############################################### +# This is likely not needed beyond in Gucamole 1.40 as the gui provides an option to reset. Kept for reference. +mysql -u root -p +use guacamole_db; +SELECT user_id FROM guacamole_user INNER JOIN guacamole_entity ON guacamole_entity.entity_id = guacamole_user.entity_id WHERE guacamole_entity.name = 'guacadmin'; +UPDATE guacamole_user_attribute SET attribute_value='false' WHERE attribute_name = 'guac-totp-key-confirmed' and user_id = '1'; +quit; + + +############################################### +# Quick troubleshoot SQL commands +############################################### +# Login +sudo mysql -u root -p + +# Check time zone +SELECT @@time_zone; + +# Rename user from local to remove access +use guacamole_db; +RENAME USER '${GUAC_USER}'@'%' TO '${GUAC_USER}'@'xx.xx.xx.%'; + +# Check user access +SELECT user,host FROM mysql.user; +SHOW GRANTS FOR guacamole_user; + +######################### +Nginx load / DoS testing +######################### +https://ourcodeworld.com/articles/read/949/how-to-perform-a-dos-attack-slow-http-with-slowhttptest-test-your-server-slowloris-protection-in-kali-linux +slowhttptest -c 10000 -H -g -o ./output_file -i 3 -r 500 -t GET -u http://jumpbox.domain.com -x 24 -p 2 +