Guacamole had some type of dos type affect on it from a normal client

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Guacamole had some type of dos type affect on it from a normal client

DMoscovitch
Hi
I'm not sure how to post this, but I noticed a short time ago our Guacamole server (recently upgraded to .0.9.12) was really slow and was not responding. It has never done this before.
After logging into it via ssh it was responding but quite slow. and when I checked the stats the mem seemed all used.
I checked the syslog and all i saw was lines of this all day.

Jul 28 14:26:57 server kernel: [617311.261369] TCP: drop open request from xxx.xxx.xxx.146/57162
Jul 28 14:26:58 server kernel: [617311.393392] TCP: drop open request from xxx.xxx.xxx.146/57163
Jul 28 14:26:58 server kernel: [617311.527442] TCP: drop open request from xxx.xxx.xxx.146/57164
Jul 28 14:26:58 server kernel: [617311.645377] TCP: drop open request from xxx.xxx.xxx.146/57165
Jul 28 14:26:58 server kernel: [617311.777411] TCP: drop open request from xxx.xxx.xxx.146/57166
Jul 28 14:26:58 server kernel: [617311.909498] TCP: drop open request from xxx.xxx.xxx.146/57167

I was not sure what was going on or who it may be so I basically quickly tossed in a rule to block that IP (xxx...) in the unix firewall . After that Guacamole starting to behave normally again. Ie, responding on the webserver.
now it seems it was actually one of the users machines . (unless it was a total coincidence that some tried something from the same ip that happened to match one of our users at their ISP).
Our system has very low usage and perhaps 1-2 users max at a time. Running Ubuntu 14.04 with NgineX passing to Tomcat on https only. mysql database for  users.



I could not find much else in the logs at the time and unfortunately they way the logs seem to be configured I was not able to figure out at the time what user was using that IP. Where could I look for that by the way.
I noticed the tomcat logs only show an authentication from 127.0.0.1
"""
08:56:42.000 [http-bio-8080-exec-9] INFO  o.a.g.r.auth.AuthenticationService - User "user1" successfully authenticated from 127.0.0.1.
08:56:46.256 [http-bio-8080-exec-6] INFO  o.a.g.tunnel.TunnelRequestService - User "user1" connected to connection "14".
"""

Any comments here?

/danielm
Loading...