Guacamole had some type of dos type affect on it from a normal client
I'm not sure how to post this, but I
noticed a short time ago our Guacamole server (recently upgraded to .0.9.12)
was really slow and was not responding. It has never done this before.
After logging into it via ssh it was
responding but quite slow. and when I checked the stats the mem seemed
I checked the syslog and all i saw was
lines of this all day.
Jul 28 14:26:57 server kernel: [617311.261369]
TCP: drop open request from xxx.xxx.xxx.146/57162
Jul 28 14:26:58 server kernel: [617311.393392]
TCP: drop open request from xxx.xxx.xxx.146/57163
Jul 28 14:26:58 server kernel: [617311.527442]
TCP: drop open request from xxx.xxx.xxx.146/57164
Jul 28 14:26:58 server kernel: [617311.645377]
TCP: drop open request from xxx.xxx.xxx.146/57165
Jul 28 14:26:58 server kernel: [617311.777411]
TCP: drop open request from xxx.xxx.xxx.146/57166
Jul 28 14:26:58 server kernel: [617311.909498]
TCP: drop open request from xxx.xxx.xxx.146/57167
I was not sure what was going on or
who it may be so I basically quickly tossed in a rule to block that IP
(xxx...) in the unix firewall . After that Guacamole starting to behave
normally again. Ie, responding on the webserver.
now it seems it was actually one of
the users machines . (unless it was a total coincidence that some tried
something from the same ip that happened to match one of our users at their
Our system has very low usage and perhaps
1-2 users max at a time. Running Ubuntu 14.04 with NgineX passing to Tomcat
on https only. mysql database for users.
I could not find much else in the logs
at the time and unfortunately they way the logs seem to be configured I
was not able to figure out at the time what user was using that IP. Where
could I look for that by the way.
I noticed the tomcat logs only show
an authentication from 127.0.0.1
INFO o.a.g.r.auth.AuthenticationService - User "user1"
successfully authenticated from 127.0.0.1.
INFO o.a.g.tunnel.TunnelRequestService - User "user1" connected
to connection "14".