Apache Guacamole

Apache Guacamole is an client-less server appliance that leverages current remote access protocols on the back end and allows you to just use an Apache based web interface to remotely access your computers or servers. No need to expose RDP to the outside world (which no one should do, EVER), or anything other than one port to allow http traffic.

Covers RDP, VNC, SSH protocols, and requires no client software on any machine. Just need to turn on the respective services on the destination device and configure authentication along with a host name/IP.

Apache Tomcat Web Server vulnerabilities are your biggest concern if you expose to the outside. As long as that is maintained, there are no other concerns. I would advise using a non-standard port number, MFA authentication, and perhaps even fail2ban to cut down any login risks.

macOS and VNC on Guacamole is a little choppy, even over a wire. I an hoping there is a safe port of RDP that could be leveraged safely for use on macOS.

Debian 12 comes shipped with Tomcat 10, any automated script installers out there will probably fail unless they specifically rebuild with Tomcat 9. Apache Foundation is still behind the times and has not gotten Guacamole to work with Tomcat 10. I've had to stay back at Debian 11 for now, with the possibility of shifting over to Rocky/Alma Linux as an alternative.

SSH connections via Guacamole are a little outdated in terms of the libssh2 package used. It requires ssh-dss, or ssh-rsa, both of which are depreciated, and insecure by today’s standards on the servers you need to connect to with Guacamole. OpenSSH typically leaves at least ssh-rsa open. As an additional issue, there are a few insecure MACs that are needed to allow Guacamole to connect. I ended up using hmac-sha2-512 as an enabled MAC. SSH Shared Key connections require you to use the older ssh-rsa PEM style key. When generating your key on the Guac server, use

 ssh-keygen -t rsa -b 4096 -m PEM 

To generate the key. YOU MUST ENTER A PASSPHRASE FOR THE KEY. Then put the public key in authorized_keys on each of the servers you need to connect with the key, and then the full private key (id_rsa) is used to paste into Guac as the key for each of the connections.

RDP connections will fail if guacd is ran as daemon user. You need to add a service account to guacd to allow the app to write to a home dir - https://kifarunix.com/install-guacamole-on-debian-11/#fix-rdp-security-negotiation-failed

Script Installer: https://github.com/MysticRyuujin/guac-install

GPG Key error when updating Buster-Backports: https://unix.stackexchange.com/questions/75807/no-public-key-available-on-apt-get-update#205732

Useful quick guide: https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/

Config Docs: https://guacamole.apache.org/doc/0.9.1/gug/configuring-guacamole.html#user-mapping

Proxy Steps: https://kifarunix.com/configure-guacamole-ssl-tls-with-nginx-reverse-proxy/

Sourced from - https://geekflare.com/cybersecurity/apache-tomcat-hardening-and-security-guide/

Rename index.html to index.html.backup

vim index.jsp

Add this line:

 <% response.sendRedirect("/guacamole");%> 

Now, this doesn't take care of the port 8080 but you'll need to redirect that with a port forward.

Make a page on the root level of the application directory named error.jsp

<html>
<head> 
<title>Error Page</title>
</head>
<body> That's an error! </body>
</html>

Then in your global config under web.xml add these lines to the bottom of the config before the </web-app> closing tag:

<error-page> 
<error-code>404</error-code> 
<location>/error.jsp</location>
</error-page>
<error-page> 
<error-code>403</error-code> 
<location>/error.jsp</location>
</error-page>
<error-page> 
<error-code>500</error-code> 
<location>/error.jsp</location>
</error-page>

Restart tomcat for this to take effect.

ChatGPT did help with this.. but it has worked for me shifting over from a Pi to a VM. This is based on the MysticRyuujin installer which is getting long in the tooth, but is still reliable up to Debian 11.

Apache Guacamole Migration Plan (Debian, MySQL-Based Setup) Step 1: Backup the MySQL Database On the old server:

Find Guacamole's MySQL credentials:

cat /etc/guacamole/guacamole.properties | grep mysql

Note down the values for mysql-database, mysql-username, and mysql-password.

Dump the database using –single-transaction to avoid locking issues:

mysqldump -u guacamole_user -p --single-transaction guacamole_db > guacamole_backup.sql

(Enter the password when prompted)

Copy the dump file to the new server:

scp guacamole_backup.sql youruser@newserver:/home/youruser/

Step 2: Backup Configuration Files Copy essential Guacamole configuration files:

tar -czvf guac_config_backup.tar.gz /etc/guacamole /etc/guacd.conf /etc/systemd/system/guacd.service
scp guac_config_backup.tar.gz youruser@newserver:/home/youruser/

Step 3: Install Guacamole on the New Server Run the installer on the new server:

git clone https://github.com/MysticRyuujin/guac-install.git
cd guac-install
sudo ./guac-install.sh

Don’t log in yet. Restore the old database first.

Step 4: Restore the Database On the new server:

Temporarily grant full privileges to guacamole_user:

sudo mysql -u root -p

Inside MySQL, run:

GRANT ALL PRIVILEGES ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Import the database dump:

mysql -u guacamole_user -p guacamole_db < guacamole_backup.sql

Revert guacamole_user permissions to limit access:

sudo mysql -u root -p

Run:

REVOKE ALL PRIVILEGES ON guacamole_db.* FROM 'guacamole_user'@'localhost';
GRANT SELECT, INSERT, UPDATE, DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Step 5: Restore Configuration Files Extract and move the config backup:

sudo tar -xzvf guac_config_backup.tar.gz -C /
sudo systemctl daemon-reload

Step 6: Restart Services and Verify Restart Guacamole services:

sudo systemctl restart guacd
sudo systemctl restart tomcat9

Then, log in via the web interface—all users, connections, and settings should be intact.