No more logmein Free? OpenSource to the rescue! Part 3:Upgrading Guacamole

Door Tomba op zaterdag 19 april 2014 14:48 - Reacties (4)
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 4.251

In part 1 of my series on Guacamole we learned how to install Guacamole on an Ubuntu machine. In part 2 of my series on Guacamole we learned how to further secure the machine running Guacamole. Since Guacamole 0.9.0 was released recently, this time we will look into upgrading to a newer version of Guacamole .

First off, I upgraded my Ubuntu machine to 14.04 first to enable SSH support. We also need two specific packages to enable this: libpango2-1 and libssh2-1-dev
Installing these was as easy as running
apt-get install libpango2-1 libssh2-1-dev

Screenshots to follow later

1. Stop both guacamole and Tomcat7 by running
service guacd stop
service tomcat7 stop

2. Download the new War file by running
wget -O guacamole-0.9.0.war http://sourceforge.net/pr...camole-0.9.0.war/download

3. Download the new server source by running
wget -O guacamole-server-0.9.0.tar.gz http://sourceforge.net/pr...ver-0.9.0.tar.gz/download

4. Now we can unpack the source files of Guacamole server and we configure the package (Note by adding the --with-init-dir=/etc/init.d switch we prepare the build to install a startup script for guacd into the /etc/init.d directory)
tar -xzf guacamole-server-0.9.0.tar.gz
cd guacamole-server-0.9.0/
./configure --with-init-dir=/etc/init.d

5. If no errors occur we can make the source
make

6. And install Guacamole server:
make install

7. Now we tell Ubuntu to create the startupscript for Guacamole server and tell Ubuntu to rescan the libs
update-rc.d guacd defaults
ldconfig

8. Now we need to remove the existing Tomcat package and copy the new war-file
rm -r /var/lib/tomcat7/webapps/guacamole
cp guacamole-0.9.0.war /var/lib/tomcat7/webapps/guacamole.war

9. All preparations are now done, so it's time to restart Guacamole and Tomcat7
service guacd start
service tomcat7 restart

Now Guacamole 0.9.0 should be running on port 8080 on your server :)

No more logmein Free? OpenSource to the rescue! Part 2:Securing Guacamole and exposing it to the Web

Door Tomba op donderdag 06 februari 2014 09:35 - Reageren is niet meer mogelijk
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 5.336

Don't forget to check out Part 3!

In part 1 of my series on Guacamole we learned how to install Guacamole on an Ubuntu machine. As Guacamole is still being developed it can not be guaranteed that is 100% safe so extra security measures are advisable before opening Guacamole to the big bad internet. This guide shows you how to use Apache2 as a frontend. In a later guide I will also look into securing Apache with ModSecurity and Mod-Spamhaus but this is beyond the scope of this guide. I also have a VPN between my VPS and my internal server (so I don't need to expose my internal network to the internet), this is also out of the scope of this guide. To use this guide you must have succesfully installed Guacamole inside your own network.

As I own a VPS I used the VPS as a frontend proxy (connected through a VPN to my internal Guacamole server) but Apache2 can also run on the same machine as Guacamole. If you want to use this guide in this scenario there is less configuration. In both scenarios I will be using AJP as a communication protocol between Tomcat7 and Apache2.

Guacamole Schema

1. First we need to install mod-proxy to allow Apache to act as a Frontend (proxy) to Tomcat7
apt-get install libapache2-mod-proxy-html

2. Secondly Tomcat7 (on the Guacamole server) needs to be configured for AJP.
To allow AJP connections to Tomcat, you must add a connector to Tomcat's server.xml. There may already be an example connector in your server.xml, in which case all you need to do is uncomment it, editing the port number as desired (in this guide we love it at the default 8009):

vi /etc/tomcat7/server.xml
<Connector port="8009" protocol="AJP/1.3"
URIEncoding="UTF-8"
redirectPort="8443" />


The URIEncoding="UTF-8" attribute above ensures that connection names, user names, etc. which contain non-latin characters are properly received. If you will be creating connections that have Cyrillic, Chinese, Japanese, etc. characters in the names or parameter values, you should be sure to set this attribute.

Tomcat must be restarted after the connector is added.
service tomcat7 restart

3. Once the connector is open, and Tomcat is listening on the port specified, you can edit your Apache configuration, adding a location which will proxy the Guacamole web application served via AJP by Tomcat:

<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass ajp://HOSTNAME:8009/guacamole/ max=20 flushpackets=on
ProxyPassReverse ajp://HOSTNAME:8009/guacamole/
</Location>


The most important thing in this entire section is the option flushpackets=on. Most proxies, including mod_proxy, will buffer all data sent over the connection, waiting until the connection is closed before sending that data to the client. As Guacamole's tunnel will stream data to the client over an open connection, buffering this stream breaks Guacamole's communication.

If the option flushpackets=on is not specified, Guacamole will not work.

4. As AJP does not encrypt and it doesn't use authentication I enabled ufw on my Guacamole machine to only allow communication from the correct host. Don't forget to add exclusions for your SSH access before enabling it though!
ufw allow from [internalLAN] to [internalIP] port 22
ufw allow from [apache-VPN-IP] to [Guacamole-VPN-IP] port 8009
ufw enable

So if your VPN address are 192.168.111.5 (Guacamole) and 192.168.111.10 (Apache2), your internal Guacamole address is 192.168.1.5 and your LAN is 192.168.1.0/24 the commands are:
ufw allow from 192.168.1.0/24 to 192.168.1.5 port 22
ufw allow from 192.168.111.10 to 192.168.111.5 port 8009
ufw enable


5. Now it's time to finish configuring Apache2 by adding Apache authentication and HTTPS. To use HTTPS you can either use a selfsigned certificate (causing errors to pop up in your browser), buy a web certificate or use StartSSL to get a free one. This guide assumes you have both the key and the crt available, if you need help with this you can check here.

First create a DocumentRoot folder for the website (in this guide /var/guacamole.example.com)
mkdir /var/guacamole.example.com

Now we will create an Apache2 password file we will be using later to add an extra layer of authentication. Go to http://www.htaccesstools.com/htpasswd-generator/ and generate as many user/password combinations as you see fit and put these in /var/guacamole.example.com/.htpasswd. In this example I used user test with password 123
vi /var/guacamole.example.com/.htpasswd
Contents:
test:$apr1$LOLOpimH$.UnEpRCXoj08CPgqzZkJV0

Next we add a new website to Apache2 by adding a file to /etc/apache2/sites-available. In this example I am working with the domainname guacamole.example.com and a free SSL certificate from StartSSL, change this to the domainname of your server (you can also use the IP address of course) To make sure we always go to HTTPS a permanent redirect is specified on port 80 (HTTP)
The ' Allow from [YOU]' allows the machine with IP address [YOU] to continue without authentication, so if you have a non-dynamic IP address you can use this command to log in just a bit faster. If you have a dynamic IP address just delete that line.
vi /etc/apache2/sites-available/guacamole
<VirtualHost guacamole.example.com:80>
ServerName guacamole.example.com
Redirect permanent / https://guacamole.example.com/
Redirect permanent /guacamole https://guacamole.example.com/guacamole

</VirtualHost>

<VirtualHost guacamole.example.com:443>
NameVirtualHost guacamole.example.com
ServerName guacamole.example.com
DocumentRoot /var/guacamole.example.com

SSLEngine on
SSLCertificateFile /etc/ssl/cert/guacamole.example.com.crt
SSLCertificateKeyFile /etc/ssl/cert/guacamole.example.com.key
SSLCertificateChainFile /etc/ssl/cert/ca.pem
SSLCertificateChainFile /etc/ssl/cert/sub.class1.server.ca.pem

<Location /guacamole/>
ProxyPass ajp://192.168.111.5:8009/guacamole/ max=20 flushpackets=on
ProxyPassReverse ajp://192.168.111.5:8009/guacamole/
AuthName "Password Protected Area"
AuthUserFile /var/guacamole.example.com/.htpasswd
AuthType Basic
Order deny,allow
Deny from all
require valid-user
Allow from [YOU]
Satisfy Any
</Location>

</VirtualHost>

Now enable the website by running
a2ensite guacamole.example.com
and restart Apache2 by running
service apache2 restart

You should now be able to open the website https://guacamole.example.com/guacamole and after entering the correct Apache2 username/password see your Guacamole server!
http://tweakers.net/ext/f/K8UO1hvCU0Dz3P5IroKW7AO7/full.png
http://tweakers.net/ext/f/rXfEIqiUothNrd0x0mfAjYcj/full.png

Note: To achieve real end to end encryption you should only use Remote Desktop (which is encrypted by default) or buy a personal license to RealVNC which allows encrypting the communication between Guacamole and VNC. In this example encryption between client and Apache2 server is achieved by HTTPS and encryption between Apache2 and Tomcat7 by using a VPN.

No more logmein Free? OpenSource to the rescue! Part 1: Installing and configuring Guacamole

Door Tomba op woensdag 22 januari 2014 12:32 - Reacties (25)
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 6.718

Be sure to check out Part 2 and Part 3 of this guide as well :)

I am probably not the only Tweaker who has been using Logmein Free to get access to remote computers. It was easy to setup and allowed direct access to the console of the computer running Logmein. Very easy when helping friends or family who need regular support. Unfortunately logmein in all its wisdom has announced that the Free edition of Logmein is End of Life and will be unusable within one week. I briefly considered switching to one of the other solutions like Teamviewer, but hated to put my fate into the hands of yet another company able to pull support at any minute. I started looking around for a solution and found a great OpenSource solution: Guacamole!

Guacamole is a HTML5 remote desktop gateway, which allows VNC and RDP sessions to be made to specific systems without the need of installing any software on the Client. (Unfortunately Pango is broken in Ubuntu 13.10 so SSH connections won't be available) Nothing more is required than a web browser supporting HTML5 and AJAX.
This blog describes the steps required to configure and use Guacamole. As my Linux flavor of choice is Ubuntu all screenshots and steps are specific for that distro. For other distro's you might need other steps, see the Guacamole install guide for more info!

1. First we need to install all the prerequisites to use Guacamole:
apt-get install make libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs
http://tweakers.net/ext/f/rk2AEsrNr48qhJK2GudIEaUW/full.png
(libpango1.0-dev is broken in 13.10 so I won't install it meaning no SSH through Guacamole, this will be fixed in Ubuntu 14.04)

2. Because Ubuntu only has Guacamole 0.6.0 in the repositories (which does not support NLA for access to Windows 2012 Servers) we need to download the source of Guacamole Server by running the command
wget -O guacamole-server-0.8.3.tar.gz http://downloads.sourcefo...4&use_mirror=optimate
http://tweakers.net/ext/f/JER0t4yKkYcqKzC8Khg9jySd/full.png

3. As we are deploying on Tomcat7 we also need the War file:
wget -O guacamole-0.8.3.war http://downloads.sourcefo...37127&use_mirror=garr
http://tweakers.net/ext/f/ZonSoyAN0cHAn304bsJ5bwvg/full.png

4. Now we unpack the source files of Guacamole server and we configure the package (Note by adding the --with-init-dir=/etc/init.d switch we prepare the build to install a startup script for guacd into the /etc/init.d directory)
tar -xzf guacamole-server-0.8.3.tar.gz
cd guacamole-server-0.8.3/
./configure --with-init-dir=/etc/init.d

http://tweakers.net/ext/f/N895zBUk6Mi0XXahKFaQdXNC/full.png

5. If no errors occur we can make the source
make
http://tweakers.net/ext/f/xZV9EmIiXshsUnbi6OGFNQO9/full.png

6. And install Guacamole server:
make install
http://tweakers.net/ext/f/CLEvcOIjEBg59cBNJ4zlOho1/full.png

7. Now we tell Ubuntu to create the startupscript for Guacamole server and tell Ubuntu to rescan the libs
update-rc.d guacd defaults
ldconfig

http://tweakers.net/ext/f/RbF82KACzw4E4JLDEi0RqbaE/full.png

8. Now it's time to create the settings files for Guacamole
mkdir /etc/guacamole
vi /etc/guacamole/guacamole.properties

http://tweakers.net/ext/f/aTgGuf3tnF7T8whXDAE8vQw2/full.png

9. Enter the following info into /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# Location to read extra .jar's from
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes

# Authentication provider class
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

http://tweakers.net/ext/f/jQXV6koBmkFvvftv16nrXrbZ/full.png

10. Now edit the file /etc/guacamole/user-mapping.xml (below is an example to allow a user named adminstrator with password 1234 access to VNC on the host test) See Guacamoles own manual to find out what parameters you can enter.
http://tweakers.net/ext/f/msngqPQtcPogczOF2qocta9I/full.png

11. Now we need to make the war and configuration file available to Tomcat7 by running
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
cp guacamole-0.8.3.war /var/lib/tomcat7/webapps/guacamole.war

http://tweakers.net/ext/f/OiyP7LhumBrWlOkXNA2g7y5O/full.png

12. All preparations are now done, so it's time to start Guacamole and restart Tomcat7
service guacd start
sudo service tomcat7 restart

http://tweakers.net/ext/f/mObF1pTGYXQswAIaaukjVLkp/full.png

13. Now connect to http://[ipadres]:8080 and login with the username supplied in step 10!
http://tweakers.net/ext/f/7urwaCQYidQ0cyyUdocnBWgk/full.png

Go to Part 2 to see how to use Apache as a frontend and how to further secure your installation.

Ads blocken met je eigen DNS server (3)

Door Tomba op donderdag 12 december 2013 14:29 - Reacties (15)
CategorieŽn: Linux, Systeembeheer, Views: 3.206

In mijn eerdere blogposts heb ik al uit de doeken gedaan hoe ik er thuis voor zorg dat onze internet ervaring zo reclamevrij mogelijk is.
Helaas blijkt mijn oplossing niet meer te werken sinds 6 december! Wat blijkt? MSMVPS heeft een aanpassing gedaan in hun hosts file:
Important Note: This update contains a change in the prefix in the HOSTS entries to "0.0.0.0" instead of the usual "127.0.0.1".This was done to resolve a slowdown issue with the new Win8.1/IE11 and the HOSTS file.

I'm not sure what Microsoft changed in the new version, although I suspect it has something to do with the new "TCP loopback interface" in Win8.1 ... this change in the prefix should not affect users.

If this proves to be a permanant fix ... I will update the website to reflect the changes.
Het resultaat is, dat geen enkele ad meer geblokkeerd wordt! Gelukkig is dit niet moeilijk te ondervangen, door 1 regel in het script aan te passen (127.0.0.1 moet gewijzigd worden naar 0.0.0.0 anders komen er geen resultaten uit de grep!) werkt alles weer helemaal naar behoren.

code:
1
2
3
4
5
6
7
8
9
10
11
# Automatic ad blacklist by Tomba based on Gjs script (http://tomba.tweakblogs.net/blog/9171/ads-blocken-met-je-eigen-dns-server.html#r_127502 )
# 2013-12-12 Changed due to different syntax in MSMVP hostfile

# Make backup of current zone file
cp /etc/bind/adservers /etc/bind/adservers.backup

# Get newest MVPS HOSTS File Update and write it to /etc/bind/adservers
curl -s http://winhelp2002.mvps.org/hosts.txt |grep -v localhost| grep ^0.0.0.0 |awk '{print $2}' |awk '{ sub(/\r$/,""); print "zone \""$0"\" { type master; notify no; file \"null.zone.file\"; };" }' > /etc/bind/adservers

# Restart Bind to make sure it picks up the new zonefile
service bind9 restart


Voor de rest is er aan de procedure niets veranderd, dus je moet zorgen dat het script uitvoerbaar is en dat ie gescheduled wordt mbv cron, zie daarvoor mijn 2e blogpost over deze oplossing :)

Hardware disablen onder Windows vanaf de commandline

Door Tomba op dinsdag 22 oktober 2013 14:38 - Reacties (10)
Categorie: Systeembeheer, Views: 2.205

Als beheerder loop je soms tegen zaken aan, waar je vantevoren geen rekening mee houdt. Laatst liep ik er tegenaan dat op nieuwe PC's alle drivemappings onder I: (Dus E:, F,: G: en H:) niet werkten. Na enige onderzoek kwam ik er achter dat de cardreader die in dat apparaat zat 4 driveletters voor zichzelf reserveerde, ook als er geen kaartje in zat. Omdat ik ťn geen zin had om alle PC's (100+) handmatig in te stellen ťn ik in de automatisering werk heb ik dit met een script en het programma 'DevCon' opgelost :)

1. Zoek in de devicemanager de naam van het device op (in onze computers heet het Multiple Card Reader USB Device'
2. Run devcon64.exe find [beginvandevicenaam]*

code:
1
devcon64.exe find Multiple*

Dit geeft als uitvoer:
USBSTOR\DISK&VEN_MULTIPLE&PROD_CARD__READER&REV_1.00\058F63666433&0: Multiple Card Reader USB Device
1 matching device(s) found.
3. Run devcon64.exe disable [hardwareID]
In dit voorbeeld dus devcon64.exe disable USBSTOR\DISK&VEN_MULTIPLE&PROD_CARD__READER&REV_1.00\058F63666433&0: