someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-13 18:02:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ssl labels now tls and other tidy ups

Browse source
This commit is contained in:
Itiligent 2023-08-21 01:27:46 +10:00 committed by itiligent
parent 6b2d2afe6d
commit ca43e73546
15 changed files with 163 additions and 237 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
1-setup.sh
View file

@ -17,8 +17,8 @@
# 1-setup.sh is a central script that manages all inputs, options and sequences other included 'install' scripts.
# 2-install-guacamole is the main guts of the whole build. This script downloads and builds Guacamole from source.
# 3-install-nginx.sh automatically installs and configures Nginx to work as an http port 80 front end to Guacamole
# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed SSL certificates.
# 4b-install-ssl-letsencrypt-nginx.sh sets up Nginx with public SSL certificates from LetsEncrypt.
# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed TLS certificates.
# 4b-install-tls-letsencrypt-nginx.sh sets up Nginx with public TLS certificates from LetsEncrypt.
# Scripts with "add" in their name can be run post guacamole setup to add optional features not included in the main install
clear
@ -32,6 +32,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
# Make sure the user is NOT running this as root
if [[ $EUID -eq 0 ]]; then
echo
echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2
@ -39,6 +40,7 @@ if [[ $EUID -eq 0 ]]; then
exit 1
fi
# Make sure the user is a member of the sudo group
if ! [ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]; then
echo
echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2
@ -51,11 +53,11 @@ if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*'
# Script branding header
echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole"
echo -e " ${LGREEN}Powered by Guacamole"
echo
echo
echo -e "${LRED}Possible previous temp files detected in current build path. Please review and remove old 'guacamole-*' & 'mysql-connector-j-*' files before proceeding.${GREY}" 1>&2
echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files files before proceeding.${GREY}" 1>&2
echo
exit 1
fi
@ -70,7 +72,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups/
TMP_DIR=$DOWNLOAD_DIR/tmp
# Github download branch
# GitHub download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/"
#Version of Guacamole to install
@ -84,6 +86,7 @@ MYSQLJCON="8.0.33"
# Select a specific MySQL version. See https://mariadb.org/mariadb/all-releases/
MYSQL_VERSION="" # If left blank, script will use Linux distro default version packages.
# Setup MySQL package name variables to call based on the above MYSQL_VERSION option
if [ -z "${MYSQL_VERSION}" ]; then
# Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common"
@ -115,7 +118,7 @@ LOG_LOCATION="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
GUAC_URL=http://localhost:8080/guacamole/
# Depending on the Linux distro, required libraries have varied names. Standardising with names makes adapting
# to other distros easier.
# to other distros easier. Here the variables for the library dependency names are initialised.
source /etc/os-release
OS_FLAVOUR=$ID
OS_VERSION=$VERSION
@ -172,15 +175,15 @@ INSTALL_DUO="" # Add DUO MFA extension (can't be installed simu
INSTALL_LDAP="" # Add Active Directory extension (true/false)
CHANGE_ROOT="" # Set default Guacamole URL to http root (remove extra "/guacamole" from the default URL)
INSTALL_NGINX="" # Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false)
PROXY_SITE="" # Local DNS name for reverse proxy and/or self signed ssl certificates
SELF_SIGN="" # Add self signed SSL support to Nginx (Let's Encrypt not available with this, true/false)
PROXY_SITE="" # Local DNS name for reverse proxy and/or self signed TLS certificates
SELF_SIGN="" # Add self signed TLS support to Nginx (Let's Encrypt not available with this option, true/false)
CERT_COUNTRY="AU" # Self signed cert setup: 2 country character code only, must not be blank
CERT_STATE="Victoria" # Self signed cert setup: Optional to change, must not be blank
CERT_LOCATION="Melbourne" # Self signed cert setup: Optional to change, must not be blank
CERT_ORG="Itiligent" # Self signed cert setup: Optional to change, must not be blank
CERT_OU="I.T." # Self signed cert setup: Optional to change, must not be blank
CERT_DAYS="3650" # Self signed cert setup: Number of days until self signed certificate expiry
LETS_ENCRYPT="" # Add Lets Encrypt public SSL support for Nginx (self signed SSL certs not available with this option, true/false)
LETS_ENCRYPT="" # Add Lets Encrypt public TLS support for Nginx (self signed TLS certs not available with this option, true/false)
LE_DNS_NAME="" # Public DNS name to bind with Lets Encrypt certificates
LE_EMAIL="" # Webmaster/admin email for Lets Encrypt notifications
BACKUP_EMAIL="" # Email address for backup notifications
@ -192,7 +195,7 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer name
# Script branding header
echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole"
echo -e " ${LGREEN}Powered by Guacamole"
echo
echo
@ -210,8 +213,8 @@ cd $DOWNLOAD_DIR
echo -e "${GREY}Downloading setup files...${DGREY}"
wget -q --show-progress ${GITHUB}2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}4a-install-ssl-self-signed-nginx.sh -O 4a-install-ssl-self-signed-nginx.sh
wget -q --show-progress ${GITHUB}4b-install-ssl-letsencrypt-nginx.sh -O 4b-install-ssl-letsencrypt-nginx.sh
wget -q --show-progress ${GITHUB}4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
wget -q --show-progress ${GITHUB}4b-install-tls-letsencrypt-nginx.sh -O 4b-install-tls-letsencrypt-nginx.sh
# Grab Guacamole manual add on/upgrade scripts
wget -q --show-progress ${GITHUB}add-auth-duo.sh -O add-auth-duo.sh
wget -q --show-progress ${GITHUB}add-auth-ldap.sh -O add-auth-ldap.sh
@ -220,7 +223,7 @@ wget -q --show-progress ${GITHUB}add-smtp-relay-o365.sh -O add-smtp-relay-o365.s
wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh
# Grab backup and security hardening scripts
wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh
wget -q --show-progress ${GITHUB}add-ssl-guac-gaucd.sh -O add-ssl-guac-gaucd.sh
wget -q --show-progress ${GITHUB}add-tls-guac-daemon.sh -O add-tls-guac-daemon.sh
wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh
# Grab a (customisable) branding extension
wget -q --show-progress ${GITHUB}branding.jar -O branding.jar
@ -231,7 +234,7 @@ clear
# Script branding header
echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole"
echo -e " ${LGREEN}Powered by Guacamole"
echo
echo
@ -249,7 +252,7 @@ sudo chown -R $SUDO_USER:root $TMP_DIR
# We need a default hostname value available to apply even if we do not want to change the hostname. This approach allows the
# user to simply hit enter at the prompt without this creating a blank entry into the /etc/hosts file.
# hostnames and matching DNS entries are essential for implementing SSL successfully.
# hostnames and matching DNS entries are essential for implementing TLS successfully.
if [[ -z ${SERVER_NAME} ]]; then
echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}"
read -p " Enter new HOSTNAME : " SERVER_NAME
@ -269,7 +272,7 @@ else
sudo systemctl restart systemd-hostnamed &>>${LOG_LOCATION}
fi
# We need a dns suffix to append to the hostname so as SSL can be available.
# We need a dns suffix to append to the hostname so as TLS can be available.
if [[ -z ${LOCAL_DOMAIN} ]]; then
echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}"
read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN
@ -310,7 +313,7 @@ clear
# Script branding header
echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole"
echo -e " ${LGREEN}Powered by Guacamole"
echo
echo
@ -504,10 +507,10 @@ if [ -z "${PROXY_SITE}" ]; then
PROXY_SITE="${DEFAULT_FQDN}"
fi
# Prompt for self signed SSL reverse proxy option
# Prompt for self signed TLS reverse proxy option
if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
# Prompt the user to see if they would like to install self signed SSL support for Nginx, default of no
echo -e -n "FRONT END: Add self signed SSL support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: "
# Prompt the user to see if they would like to install self signed TLS support for Nginx, default of no
echo -e -n "FRONT END: Add self signed TLS support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: "
read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
SELF_SIGN=true
@ -516,19 +519,19 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
fi
fi
# Optional prompt to assign the self sign SSL certificate a custom expiry date, un-comment to force a manual entry
# Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry
#if [ "${SELF_SIGN}" = true ]; then
# read - p "PROXY: Enter number of days till SSL certificate expires [default 3650]: " CERT_DAYS
# read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
#fi
# If no self sign SSL certificate expiry given, lets assume a generous 10 year default certificate expiry
# If no self sign TLS certificate expiry given, lets assume a generous 10 year default certificate expiry
if [ -z "${CERT_DAYS}" ]; then
CERT_DAYS="3650"
fi
# Prompt for Let's Encrypt SSL reverse proxy configuration option
# Prompt for Let's Encrypt TLS reverse proxy configuration option
if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then
echo -e -n "FRONT END: Add Let's Encrypt SSL support to Nginx reverse proxy [y/N] [default n]: ${GREY}"
echo -e -n "FRONT END: Add Let's Encrypt TLS support to Nginx reverse proxy [y/N] [default n]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
LETS_ENCRYPT=true
@ -565,7 +568,7 @@ fi
clear
echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole"
echo -e " ${LGREEN}Powered by Guacamole"
echo
echo
echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
@ -599,11 +602,11 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
# Export the relevant variable selections to child install scripts
export BACKUP_EMAIL=$BACKUP_EMAIL
@ -675,16 +678,16 @@ if [ "${INSTALL_NGINX}" = true ]; then
echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
# Apply self signed SSL certificates to Nginx reverse proxy if option is selected
# Apply self signed TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
sudo -E ./4a-install-ssl-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
# Apply Let's Encrypt SSL certificates to Nginx reverse proxy if option is selected
# Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
sudo -E ./4b-install-ssl-letsencrypt-nginx.sh
echo -e "${LGREEN}Let's Encrypt SSL configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
sudo -E ./4b-install-tls-letsencrypt-nginx.sh
echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
# Duo Settings reminder - If Duo is selected you can't login to Guacamole at all until this extension is fully configured

2
2-install-guacamole.sh
View file

@ -4,8 +4,6 @@
# For Ubuntu / Debian / Raspbian
# David Harrop
# April 2023
# Special thanks to MysticRyuujin for much of the guac install outline here
# pls see https://github.com/MysticRyuujin/guac-install for more
#######################################################################################################################
# Prepare text output colours

4
3-install-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
#######################################################################################################################
# Add Nginx reverse proxy fromt end to default Guacamole install
# Add Nginx reverse proxy front end to default Guacamole install
# For Ubuntu / Debian / Raspbian
# 3 of 4
# David Harrop
@ -55,8 +55,6 @@ fi
sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
# Symlink from sites-available to sites-enabled
ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/

58
4a-install-ssl-self-signed-nginx.sh → 4a-install-tls-self-signed-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
#######################################################################################################################
# Add self signed SSL certificates to Guacamole with Nginx reverse proxy
# Add self signed TLS certificates to Guacamole with Nginx reverse proxy
# For Ubuntu / Debian / Rasbpian
# 4a of 4
# David Harrop
@ -18,41 +18,15 @@ NC='\033[0m' #No Colour
echo
echo
echo -e "${LGREEN}Setting up self signed SSL certificates for Nginx...${GREY}"
echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
echo
# Setup script cmd line arguments for proxy site and certificate days
SSLNAME=$1
SSLDAYS=$2
#######################################################################################################################
# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
# values to complete the reconfiguration of Nginx.
# Variable inputs
#TOMCAT_VERSION="tomcat9" # Not needed for general SSL install(if Guacamole not present, also comment the tomcat restart)
#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
#TMP_DIR=/tmp
#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
#CERT_COUNTRY="AU" # must be two letter code!
#CERT_STATE="Victoria"
#CERT_LOCATION="Melbourne"
#CERT_ORG="Itiligent"
#CERT_OU="I.T. dept"
#PROXY_SITE=$SSLNAME
# To run manually or to regenerate SSL certificates, this script must be run in the current user environment [-E switch]
# Be aware that running this script just as sudo will save certs to sudo's home path with incorrect permissions,
# plus the custom certificate install instructions shown after running will be invalid.
# e.g. sudo -E ./4a-install-ssl-self-signed-nginx.sh proxy-site-name 3650
#######################################################################################################################
# Discover IPv4 interface
echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new SSL certificate..."
echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new TLS certificate..."
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
if [ $? -ne 0 ]; then
echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@ -62,8 +36,8 @@ else
echo
fi
echo -e "${GREY}New self signed SSL certificate attributes are shown below...${DGREY}"
# Display the new SSL cert parameters.
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new TLS cert parameters.
cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
[req]
distinguished_name = req_distinguished_name
@ -88,18 +62,12 @@ subjectAltName = @alt_names
DNS.1 = $PROXY_SITE
IP.1 = $DEFAULT_IP
EOF
# Add IP.2 & IP.3 above EOF as needed.
#IP.2 = $IP3
#IP.3 = $IP3
# Additional DNS names can also be manually added into the above cat <<EOF as needed.
#DNS.2 =
#DNS.3 =
# Set default certificate file destinations. These can be adapted for any other SSL application.
# Set default certificate file destinations. These can be adapted for any other TLS application.
DIR_SSL_CERT="/etc/nginx/ssl/cert"
DIR_SSL_KEY="/etc/nginx/ssl/private"
# Make directories to place SSL Certificate if they don't exist
# Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY
fi
@ -113,7 +81,7 @@ if [[ $SSLDAYS == "" ]]; then
fi
echo
echo "{$GREY}Creating a new Nginx SSL Certificate ..."
echo "{$GREY}Creating a new Nginx TLS Certificate ..."
openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
if [ $? -ne 0 ]; then
echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@ -123,7 +91,7 @@ else
echo
fi
# Place SSL Certificate within defined path
# Place TLS Certificate within defined path
sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key
sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt
@ -151,7 +119,7 @@ else
fi
# Update Nginx config to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy to use self signed SSL certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
echo -e "${GREY}Configuring Nginx proxy to use self signed TLS certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
#cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
server {
@ -233,7 +201,7 @@ SHOWASTEXT1='$mypwd'
SHOWASTEXT2='"Cert:\LocalMachine\Root"'
printf "${GREY}+-------------------------------------------------------------------------------------------------------------
${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
+ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
@ -241,7 +209,7 @@ ${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONT
echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
printf "${GREY}+-------------------------------------------------------------------------------------------------------------
${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+
+ 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
+ 2. Import the CRT file into your Linux client certificate store with the below command:
@ -250,7 +218,7 @@ echo -e "(If certutil is not installed, run apt-get install libnss3-tools)"
echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N"
echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $SSLNAME -i $SSLNAME.crt"
printf "+-------------------------------------------------------------------------------------------------------------\n"
echo -e "${LYELLOW}The above SSL browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"
echo -e "${LYELLOW}The above TLS browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"
# Done
echo -e ${NC}

51
4b-install-ssl-letsencrypt-nginx.sh → 4b-install-tls-letsencrypt-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
#######################################################################################################################
# Add Let's Encrypt SSL Certificates to Guacamole with Nginx reverse proxy
# Add Let's Encrypt TLS Certificates to Guacamole with Nginx reverse proxy
# For Ubuntu / Debian / Raspbian
# 4b of 4
# David Harrop
@ -18,54 +18,9 @@ NC='\033[0m' #No Colour
echo
echo
echo -e "${LGREEN}Installing Let's Encrypt SSL configuration for Nginx...${GREY}"
echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
echo
#######################################################################################################################
# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
# values to complete the reconfiguration of Nginx.
# Variable inputs
#TOMCAT_VERSION="tomcat9" # Not be needed for genreral SSL install SSL (i.e. where Guacamole not present)
#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
# Find the existing nginx site name
#echo -e "${GREY}Discovering exising proxy sites to configure with SSL...${GREY}"
#for file in "/etc/nginx/sites-enabled"/*
#do
#PROXY_SITE="${file##*/}"
#done
#if [ $? -ne 0 ]; then
# echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
# exit 1
# else
# echo -e "${LGREEN}OK${GREY}"
#fi
#echo
# Prompt for the FQDN of the new Let's encrypt certificate
#while true
#do
#echo -e "${LGREEN}"
#read -p "Enter the public FQDN for your proxy site: " LE_DNS_NAME
#echo
# [ "${LE_DNS_NAME}" != "" ] && break
#done
# Prompt for the admin/webmaster email for Let's encrypt certificate notifications
#while true
#do
#echo -e "${LGREEN}"
#read -p "Enter the email address for Let's Encrypt notifications : " LE_EMAIL
#echo
# [ "${LE_EMAIL}" != "" ] && break
#done
#echo -e "${GREY}"
#######################################################################################################################
# Install nginx
apt-get update -qq &>>${LOG_LOCATION}
apt-get install nginx certbot python3-certbot-nginx -qq -y &>>${LOG_LOCATION}
@ -83,7 +38,7 @@ else
fi
# Configure Nginx to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt SSL and setting up automatic HTTP redirect...${GREY}"
echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt TLS and setting up automatic HTTP redirect...${GREY}"
cat >/etc/nginx/sites-available/$PROXY_SITE <<EOL
server {
listen 80 default_server;

12
ACTIVE-DIRECTORY-HOW-TO.md
View file

@ -41,9 +41,9 @@ ldap-max-search-results:200
```
- **_Important note on `ldap-user-base-dn:`_** _This value sets a position in the directory as a relative root to search within. All Guacamole users to be authenticated by Active Directory must be placed in a lower position within the directory tree to this value. This line can be added multiple times to more efficiently search across multiple branches of a directory tree._
- **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in you tree._
- **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in your tree._
- **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._
- **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to Guacamole sessions connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._
## **4. Run the (now customised) LDAP configuration script**
@ -51,7 +51,7 @@ ldap-max-search-results:200
## **5. Logging on to Guacamole with the new guacbind-ad account**
- When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passes through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console.
- When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passed through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console.
## **6. Manually creating and configuring new Guacamole users for Active Directory authentication**
@ -59,15 +59,15 @@ ldap-max-search-results:200
## **7. Logging on using either the local vs the domain guacbind-ad account**
- As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some admin functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
- As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some application functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
## **8. Creating a quasi Single Sign On user experience for Windows RDP access**
- Create a Global Security domain group (e.g. Guac_Users) and populate it with selected domain users as required.
- Now add this new security group to the built-in “Remote Desktop Users” domain group.
- Next, for each connection profile you wish to create the SSO behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows...
- Next, for each connection profile you wish to create the SSO experience and behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows...
- Add the parameter token `${GUAC_USERNAME}` to the Username field for each connection profile
- Add the parameter token `${GUAC_PASSWORD}` to the Password field for each connection profile
- If the user has been given directory rights to the Guacamole session object, Guacamole will first authenticate the user to the Guacamole application (via a brokered Active Directory challenge) and then seamlessly pass the user's same domain credentials through to the Guacamole remote desktop session, thus avoiding any further remote desktop authentication prompts.
- For more info on other dynamic connection settings see https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
- For full SSO, the SAML authentication must be used. As the SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project.
- For full SSO, the SAML authentication extension must be used. As the Guacamole SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project. If your organisation already uses SAML within your infrastructure then you likely already know what to do to implement.

89
README.md
View file

@ -1,68 +1,64 @@
# **Guacamole 1.5.3 VDI / Jump Server Appliance Build Script**
A menu based build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening.
A menu based source build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening.
### **Automatic build, install & config script**
To install Guacamole, paste the following command into your terminal **(do not run as sudo)**:
To build the Guacamole appliance, paste the below link into a terminal and follow prompts **(do not run as sudo)**:
```
wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
```
## **Prerequisites**
### PLEASE NOTE: DEBIAN 12 & Tomcat 10 NOT COMPATIBLE - SEE ISSUE #10
### NOTE: DEBIAN 12 & TOMCAT 10 NOT CURRENTLY COMPATIBLE - SEE ISSUE #10
- **Ubuntu 18.04 - 22.x / Debian 11 & 10 / Raspbian Buster or Bullseye**
- *(if using OS vendor cloud images - you must use **stable releases of the above OS variants.** Daily cloud image builds are akin to rolling releases and may contain as yet unsupported updates that break Guacamole!)*
- Minimum 8GB RAM and 40GB HDD
- Public or private DNS entries that match the default route interface IP address (required for TLS)
- Incoming access on TCP ports 22, 80, and 443
- The user executing the wget installer script **must be a member of the sudo group**
- Do not run as root. The user executing the installer script must instead be a **member of the sudo group**
## **Setup Menu Flow**
## **Installer Menu Flow**
### **1. Confim the system hostname & local domain suffix**
- Change or keep the current hostname and local DNS suffix
### **1. Confirm the system hostname & local dns domain suffix**
### **2. Select a MySQL instance type and security baseline**
- Install a new local MySQL instance, or choose an existing/remote MySQL instance.
- Install a new local MySQL instance, or choose an existing/remote MySQL instance?
- *Optionally add MySQL **mysql_secure_installation** settings to the selected MySQL instance*
- *Optionally provide an email address for backup messages and alerts*
### **3. Pick an authentication extension**
- **DUO, TOTP, LDAP or None**
- *Simultaneous TOTP and DUO not possible, but LDAP with TOTP is ok.*
- DUO, TOTP, LDAP or none?
### **4. Choose the Guacamole front end**
- **Install Nginx reverse Proxy?** [y/n]
- No: Keep the Guacamole native front end & url http://server.local:8080/guacamole
- *Sub option: Change Guacamole's default url to http root? Yes = http://server.local:8080*
- No: Keeps the Guacamole native front end & url http://server.local:8080/guacamole
- Yes: Prompts for a reverse proxy local dns name (this can be different to the hostname)
- **Install Nginx reverse proxy with a self-signed SSL certificate?** [y/n]
- No: Installs Nginx as **http** reverse proxy with the given local dns name e.g. http://server.local
- Yes: Installs Nginx as **https** reverse proxy with the given local dns name e.g https://server.local
- *Auto configures Nginx with a self signed TLS certificate and http redirect*
- *Auto generates Windows & Linux client browser certificates*
- **Install Nginx reverse proxy with a self-signed TLS certificate?** [y/n]
- No: Installs Nginx as **http** reverse proxy, Guacamole site set to http://server.local
- Yes: Installs Nginx as **https** reverse proxy, Guacamole site set to https://server.local
- *Nginx is configured with a self signed TLS certificate and http redirect*
- *Windows & Linux self signed client browser certificates generated*
- **Install Nginx reverse proxy with a Let's Encrypt certificate?** [y/n]
- Yes: = Prompts for a webmaster email & public reverse proxy dns name e.g https://your-public-site.com
- *Installs Nginx with the given public dns name*
- *Auto configures Nginx with a new LetsEncrypt certificate and http redirect*
- *Auto configures certificate notifications to the webmaster email*
- *Auto schedules recurring certificate renewals*
- Yes: Prompts for a webmaster email & public reverse proxy dns name
- *Installs Nginx as **https** reverse proxy, Guacamole site set to* https://your-public-site.com
- *Nginx configured with a new LetsEncrypt certificate and http redirect*
- *Ongoing certbot certificate renewals scheduled*
## **Optional post install hardening**
## **Post install hardening options**
The installer downloads additional scripts to manually run:
- `add-fail2ban.sh` - Adds a conservative fail2ban lockdown policy to Guacamole & whitelists local LAN
- `add-ssl-guac-gaucd.sh` - Encrypts internal traffic between Guacamole application and Guacd daemon with TLS
- `add-auth-ldap.sh` - Template script for integrating with Active Directory (See ACTIVE-DIRECTORY-HOW-TO.md)
- `add-smtp-relay-o365.sh` - Template script for email alerts via MSO65 (SMTP auth, requires BYO app password)
The installer additionally downloads the following manual configuration scripts:
- `add-fail2ban.sh` - Adds a baseline fail2ban lockdown policy to Guacamole (& whitelists the local subnet)
- `add-tls-guac-daemon.sh` - Adds a TLS wrapper to internal traffic between the Guacamole application and guacd server daemon
- `add-auth-ldap.sh` - A template script for integrating Guacamole with Active Directory
- `add-smtp-relay-o365.sh` - A template script for email alerts via MSO65 (SMTP auth via BYO app password)
## **Active Directory integration**
@ -71,32 +67,31 @@ See Active Directory authentication instructions [here](https://github.com/itili
## **Installation notes**
To create a custom or unattended setup, follow these steps:
1. From a terminal session, change to your home directory then paste and run the above wget setup link.
The installer can be run interactively, or for a customised/unattended setup:
1. From a terminal session, change to your home directory then paste and run the above wget autorun link.
2. Exit the `1-setup.sh` script at the first prompt. (At this point only the scripts have downloaded).
3. Customise the installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate.
- *Note that script variables with an actual value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. This means that with the right combination of script variable inputs, it is possible to mass deploy full Guacamole appliances with zero touch.*
4. **After setting your custom variable values in `1-setup.sh`, you must now run the modified script saved locally with `./1-setup.sh` Beware: If you run the setup script once again via the wget link you will overwrite all your changes!**
- *There should be no need to customise any scripts other than `1-setup.sh` as all install options are managed in this parent script.*
- *If you must make changes to any other downloaded scripts, you must also comment out their corresponding wget lines in the "Download GitHub Setup" section at the top of `1-setup.sh` to prevent a re-download and overwrite when re-running the setup.*
- *Be aware that all optional (manually run) `add-xxxx.sh` scripts are dynamically updated during the installation with variables selected at install. Editing anything other than `1-setup.sh` may break this functionality.*
6. If the self signed SSL option is selected, client TLS certificates are saved to `$DOWNLOAD_DIR/guac-setup`.
7. If any TLS option is selected, Nginx is configured to only support connections using TLS 1.2 or above.
3. Customise the many installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate.
- *Script variables with a given value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. With the right combination of custom script variables, it is possible to deploy Guacamole appliance(s) with zero touch in only minutes.*
4. **Beware: If any settings in `1-setup.sh` are edited, you must run this modified script locally. If you run the wget autorun link again you will overwrite all your changes!**
- *All install options are managed from within `1-setup.sh`. If you edit any of the other downloaded scripts, **you must also comment out each script's corresponding download link** within the "Download GitHub Setup" section of `1-setup.sh` to prevent re-download and overwrite when running setup.*
- *Some manual scripts are automatically customised at installation to reflect various install settings and options.*
6. If the TLS self signed option is selected, client TLS certificates will be saved to `$DOWNLOAD_DIR/guac-setup`.
7. Nginx is configured to only support TLS 1.2 or above.
## **Setup download manifest**
## **Download manifest**
The setup command mentioned above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory:
The autorun link above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory:
- `1-setup.sh`: The parent install script itself
- `2-install-guacamole.sh`: Guacamole installation script (inspired by [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install))
- `1-setup.sh`: The parent install script itself (saved to the current directory)
- `2-install-guacamole.sh`: Guacamole installation script (based on [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install))
- `3-install-nginx.sh`: Installs Nginx & auto-configures a front-end reverse proxy for Guacamole (optional)
- `4a-install-ssl-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional)
- `4b-install-ssl-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional)
- `4a-install-tls-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional)
- `4b-install-tls-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional)
- `add-auth-duo.sh`: Adds the Duo MFA extension if not selected during install (optional)
- `add-auth-ldap.sh`: Adds the Active Directory extension and setup template if not selected at install (optional)
- `add-auth-totp.sh`: Adds the TOTP MFA extension if not selected at install (optional)
- `add-ssl-guac-gaucd.sh`: A hardening script to add a TLS wrapper between the guacd daemon and Guacamole client application traffic (optional, consider extra performance impact mitigations)
- `add-tls-guac-daemon.sh`: A hardening script to add a TLS wrapper between the guacd server daemon and Guacamole application traffic (optional, consider extra performance impact mitigations)
- `add-fail2ban.sh`: Adds a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks
- `add-smtp-relay-o365.sh`: Sets up a TLS/SMTP auth relay with O365 for monitoring & alerts (BYO app password)
- `add-smtp-relay-o365.sh`: Sets up an SMTP auth relay with O365 for monitoring & alerts (BYO app password)
- `backup-guacamole.sh`: A simple MySQL Guacamole backup script
- `branding.jar`: An example template for a customised Guacamole login screen. The extension allows some measure of branding the user interface (or delete to keep the default interface). This is a version of https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension but with further tweaks to additionally support custom browser tab favicons. Much more extensive branding is possible via CSS inside this extension.
- `branding.jar`: An example template for a customised Guacamole login screen. Much further UI customisation is possible inside this extension via additional CSS. Delete this file to keep the default Guacmole UI.

2
add-auth-duo.sh
View file

@ -50,7 +50,7 @@ echo "duo-api-hostname: ??????????"
echo "duo-secret-key: ??????????"
echo "duo-application-key: (this is locally created - run 'pwgen 40 1' to manually generate this 40 char random value)"
echo
echo "Once this change is complete, restart Guacamole with sudo systemctl restart tomcat9"
echo "Once this change is complete, restart Guacamole with sudo systemctl restart ${TOMCAT_VERSION}"
rm -rf guacamole-*

1
add-auth-ldap.sh
View file

@ -18,7 +18,6 @@ NC='\033[0m' #No Colour
clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

1
add-auth-totp.sh
View file

@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

90
add-fail2ban.sh
View file

@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
@ -40,10 +41,10 @@ rm -f /tmp/fail2ban.update
# Start setup prompts #################################################################################################
#######################################################################################################################
# Prompt to install fail2ban base app, default of yes
# Prompt to install fail2ban base package with no policy as yet, default of yes
if [[ -z ${FAIL2BAN_BASE} ]]; then
echo
echo -e -n "${LGREEN}Install Fail2ban? [default y]: ${GREY}"
echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
FAIL2BAN_BASE=false
@ -63,40 +64,40 @@ if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
fi
fi
# Prompt to install Nginx fail2ban config defaults , default of no
if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
FAIL2BAN_NGINX=true
else
FAIL2BAN_NGINX=false
fi
fi
# Prompt to install Nginx fail2ban config defaults , default of no - NOT IMPLEMENTED YET
#if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
# echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}"
# read PROMPT
# if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
# FAIL2BAN_NGINX=true
# else
# FAIL2BAN_NGINX=false
# fi
#fi
# Prompt to install SSH fail2ban config defaults , default of no
if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
FAIL2BAN_SSH=true
else
FAIL2BAN_SSH=false
fi
fi
# Prompt to install SSH fail2ban config defaults , default of no - NOT IMPLEMENTED YET
#if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
# echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}"
# read PROMPT
# if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
# FAIL2BAN_SSH=true
# else
# FAIL2BAN_SSH=false
# fi
#fi
#######################################################################################################################
# Fail2ban base setup #################################################################################################
#######################################################################################################################
# Install base fail2ban base application (no policy defined yet)
# Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet)
if [ "${FAIL2BAN_BASE}" = true ]; then
#Update and install fail2ban (and john for management of config file updates)
#Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
sudo apt-get update -qq >/dev/null 2>&1
sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1
# Create the basic jail.local template
# Create the basic jail.local template and local subnet whitelist
cat >/tmp/fail2ban.conf <<EOF
[DEFAULT]
destemail = yourname@example.com
@ -173,7 +174,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
# Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line
sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt
# Finally assemble the entire syntaxt of the ignoreip whitelist for insertion into the base fail2ban config
# Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config
SED_IGNORE=$(echo "ignoreip = ")
SED_NETADDR=$(cat /tmp/netaddr.txt)
sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf
@ -181,7 +182,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
# Move the new base fail2ban config to the jail.local file
touch /etc/fail2ban/jail.local
# Apply thhe base config, keeping any pre-existing settings
# Apply the base config, keeping any pre-existing settings
sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local'
# Clean up
@ -190,7 +191,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
rm -f /tmp/netaddr.txt
rm -f /tmp/fail2ban.update
# bounce the service to relaod the new config
# bounce the service to reload the new config
sudo systemctl restart fail2ban
# Done
@ -204,16 +205,18 @@ else
fi
#######################################################################################################################
# Fail2ban optional setup items #######################################################################################
# Fail2ban optional policy setup items ################################################################################
#######################################################################################################################
if [ "${FAIL2BAN_GUAC}" = true ]; then
# Create the Guacamole jail.local policy template
cat >/tmp/fail2ban.conf <<EOF
[guacamole]
enabled = true
port = http,https
logpath = /var/log/$TOMCAT_VERSION/catalina.out
bantime = 10m
bantime = 15m
findtime = 60m
maxretry = 5
EOF
@ -232,8 +235,13 @@ REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentica
#Insert the new regex
sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf
# Bounce the service to relaod the new config
# Done
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
# Bounce the service to reload the new config
sudo systemctl restart fail2ban
echo
fi
# Clean up
rm -f /tmp/fail2ban.conf
@ -241,21 +249,17 @@ rm -f /tmp/ip_list.txt
rm -f /tmp/netaddr.txt
rm -f /tmp/fail2ban.update
# Done
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n-${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
echo
############## Start Fail2ban NGINX security policy option ###############
if [ "${FAIL2BAN_NGINX}" = true ]; then
echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}"
echo
fi
#if [ "${FAIL2BAN_NGINX}" = true ]; then
# echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}"
# echo
#fi
############### Start Fail2ban SSH security policy option ################
if [ "${FAIL2BAN_SSH}" = true ]; then
echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}"
echo
fi
#if [ "${FAIL2BAN_SSH}" = true ]; then
# echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}"
# echo
#fi
#Done
echo -e ${NC}

1
add-smtp-relay-o365.sh
View file

@ -26,6 +26,7 @@ SENDER=$SUDO_USER
SERVER=$(uname -n)
DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//')
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

12
add-ssl-guac-gaucd.sh → add-tls-guac-daemon.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
#######################################################################################################################
# Harden Guacd <-> Guac client traffic in SSL wrapper
# Harden Guacd <-> Guac client traffic in TLS wrapper
# For Ubuntu / Debian / Raspbian
# David Harrop
# April 2023
@ -15,6 +15,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
@ -23,13 +24,14 @@ CERT_OU=
clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
# Create the special directory for guacd ssl certfifacte and key.
# Create the special directory for guacd tls certificate and key.
sudo mkdir /etc/guacamole/ssl
echo
cat <<EOF | tee -a cert_attributes.txt
@ -57,11 +59,11 @@ DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
# Create the self signining request, certificate & key
# Create the self signing request, certificate & key
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
rm -f cert_attributes.txt
# Point Gaucamole config file to certificate any key
# Point Guacamole config file to certificate and key
sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
[server]
bind_host = 127.0.0.1
@ -71,7 +73,7 @@ server_certificate = /etc/guacamole/ssl/guacd.crt
server_key = /etc/guacamole/ssl/guacd.key
EOF
# Enable SSL backend
# Enable TLS backend
sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
guacd-ssl: true
EOF

1
backup-guac.sh
View file

@ -19,6 +19,7 @@ clear
export PATH=/bin:/usr/bin:/usr/local/bin
TODAY=$(date +%Y-%m-%d)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
MYSQL_HOST=
MYSQL_PORT=
GUAC_USER=

1
upgrade-guac.sh
View file

@ -21,6 +21,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2