In this guide, Apache Guacamole was built on top of Chris Long’s Detection Lab. This guide will work locally, on AWS, as well if you have your own lab, depending on how your lab set up. I will discuss the direct differences between the Detection Lab, home lab, and AWS when it comes to the configurations. However this was built and centered around Detection Lab and AWS.
Being new to AWS, I wanted to really customize my experience, as well as make my experience as pain free as possible. To do so, I had to answer a couple of questions:
How can I get access to my lab, without having to look up my Public IP and edit my security groups everytime moved between devices? This was done by setting up a VPN, Algo/Wireguard specficially. There are some really great guides on this, but Chris Long has one here - https://clo.ng/blog/algo_vpn/
Inside of AWS, everytime you Stop then Start an instance the Public IP will change. Yes you can fix this by setting an Elastic IP, but I didn’t want to spend the money. A free DNS would work amazing for this, which a friend of mine Ben (twitter: @UsernameIsBen) brought to my attention that DuckDNS is perfect for this. This allowed me to not have to look at the Public IP everytime I wanted to get to Guacamole, Splunk, etc. Just a nice easy use the duckdns you create, ex: logger-duckdns.org.
Lastly, I wanted to be able to acces my lab enviroment without 1- Transferring my logger’s private key, or creating a new one for every device. 2. Downloading Remote Desktop or SSH clients on each device I want to access my lab from. This is where Apache Guacamole came in perfectly.
Note Detection Lab AWS does require that you login with SSH key’s vs. username/password. I will show the difference in the configuration in Guacamole below if you have your lab set up which ever way.
Note This guide is for Ubuntu 16.04, if you have 18.04 I have a small write-up for that as well, just contact me. There are also other guides out there was well.
First thing you will want to do is add yor Public IP to the logger’s security group for port 8080 (if you want HTTP), port 8443 (if you want HTTPS), port 8080 & 8443 (HTTP & HTTPS). At the bottom of this guide in the “Securing” Section I do forward 8080 to 8443, so I suggest either just putting 8443, or 8080 & 8443 if you want to see the redirect process.
sudo apt-get install libcairo2-dev libjpeg62-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat7 tomcat7-admin tomcat7-user
tar zxf guacamole-server-0.9.9.tar.gz
sudo make install
sudo wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.9.war
sudo mv guacamole-0.9.9.war /var/lib/tomcat7/webapps/guacamole.war
sudo mkdir /etc/guacamole
sudo mkdir /usr/share/tomcat7/.guacamole
Create guacamole.properties in /etc/guacamole
sudo nano /etc/guacamole/guacamole.properties
guacd-hostname: localhost gucad-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthentiionProvider basic-user-mapping: /etc/guacamole/user-mapping.xml
sudo ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole/
Create user-mapping.xml in /etc/guacamole
sudo nano /etc/guacamole/user-mapping.xml
<user-mapping> <authorize username="guacadmin" password="5cbd438413e8e3ca0e14e200fde621a9" encoding="md5"> <connection name="logger"> <protocol>ssh</protocol> <param name="hostname">192.168.38.105</param> <param name="port">22</param> <param name="username">vagrant</param> <param name="private-key">privatekey</param> </connection> <connection name="wef"> <protocol>rdp</protocol> <param name="hostname">192.168.38.103</param> <param name="port">3389</param> <param name="username">vagrant</param> <param name="password">vagrant</param> <param name="security">nla</param> <param name="ignore-cert">true</param> </connection> <connection name="win10"> <protocol>rdp</protocol> <param name="hostname">192.168.38.104</param> <param name="port">3389</param> <param name="username">vagrant</param> <param name="password">vagrant</param> <param name="security">nla</param> <param name="ignore-cert">true</param> </connection> <connection name="dc"> <protocol>rdp</protocol> <param name="hostname">192.168.38.102</param> <param name="port">3389</param> <param name="username">vagrant</param> <param name="password">vagrant</param> <param name="security">nla</param> <param name="ignore-cert">true</param> </connection> </authorize> </user-mapping>
Note 1:To change the password and print it in md5, command is:
printf '%s' "password" | md5sum
Note 2: When inserting private key, header/footer of key needs to be included:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Note: If your lab doesn’t require ssh keys to log in, the logger’s connection can look like below:
<connection name="logger"> <protocol>ssh</protocol> <param name="hostname">192.168.38.105</param> <param name="port">22</param> <param name="username">vagrant</param> </connection>
sudo service tomcat7 start
This starts the guacamole process, if you want this to start on boot (suggested so you don’t have to manually start everytime machine boots) do the following:
Add this to crontab -e
@reboot /usr/local/sbin/guacd &
Test by going to: http://ip-address:8080/guacamole
You should then see the connections page:
These are some basic things you can do to lock down the Tomcat7 server. There are ALOT more things to do, these are some basic things I wanted to implement.
sudo rm -r ROOT/
Create keygen cert:
sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat7/.keystore
Put guacadmin for all passwords
sudo nano server.xml
Change ‘Connector port=8443’ to:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="8443" keystoreFile="/etc/tomcat7/.keystore" keystorePass="guacadmin" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
Change ‘Server port’ to:
<Server port="8789" shutdown="THISPASSWORDISTOOLONGFORYOUTOTRYTOGUESS1234567890">
Save and exit
sudo nano web.xml
Add following between ‘web-app’ & ‘/web-app’ tags:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Between session-config change to look like this:
<session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Save and Close
chmod 444 /etc/guacamole/user-mapping.xml
This will set the permissions to “read” for the user-mapping.xml file. This is the minimum permissions Guacamole needs to allow login to the home page, along with allowing client connections (RDP/SSH). If you want to change this file, must run as superuser i.e.
sudo service tomcat7 start
HTTP will now forward to HTTPS and will look similar to this:
Why is this helpful? If you are someone that is constantly on the go, and don’t want to transfer ssh-keys/download RPC/Putty/or ssh everytime you want access to your lab, this helps out. You can add your Public IP to the Security Groups in AWS and just access each box from within a browser of your choosing.
I wanted to give the community a simple guide to follow when it comes to Apache Guacamole, especially when it comes to AWS. I hope you enjoy! If you have any questions or corrections never hesitate to contact me! :)