xrdp
xrdp copied to clipboard
neutrinolabs
Improve logging on dropped connections
This issue has been prompted by a discussion with @timriker in #1976.
When an initial connection is made to the xrdp process which is subsequently dropped, the logging is not at all useful (e.g.) :-
[20211029-10:22:58] [INFO ] [g_sck_accept(os_calls.c:1384)] Socket 12: AF_INET6 connection received from ::ffff:aaa.bbb.ccc.ddd port 53522
[20211029-10:22:58] [INFO ] [xrdp_rdp_read_config(xrdp_rdp.c:225)] Using default X.509 certificate: /etc/xrdp/cert.pem
[20211029-10:22:58] [INFO ] [xrdp_rdp_read_config(xrdp_rdp.c:257)] Using default X.509 key file: /etc/xrdp/key.pem
[20211029-10:22:58] [INFO ] [xrdp_iso_negotiate_security(xrdp_iso.c:194)] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [SSL]
[20211029-10:22:58] [ERROR] [ssl_tls_log_error(ssl_calls.c:655)] SSL_read: I/O error
[20211029-10:22:58] [ERROR] [libxrdp_force_read(libxrdp.c:135)] libxrdp_force_read: header read error
[20211029-10:22:58] [ERROR] [xrdp_mcs_recv_connect_initial(xrdp_mcs.c:376)] Processing [ITU-T T.125] Connect-Initial failed
[20211029-10:22:58] [ERROR] [xrdp_mcs_incoming(xrdp_mcs.c:1191)] [MCS Connection Sequence] receive connection request failed
[20211029-10:22:58] [ERROR] [xrdp_sec_incoming(xrdp_sec.c:2869)] xrdp_sec_incoming: xrdp_mcs_incoming failed
[20211029-10:22:58] [ERROR] [xrdp_rdp_incoming(xrdp_rdp.c:917)] xrdp_rdp_incoming: xrdp_sec_incoming failed
[20211029-10:22:58] [ERROR] [xrdp_process_main_loop(xrdp_process.c:302)] xrdp_process_main_loop: libxrdp_process_incoming failed
[20211029-10:22:58] [ERROR] [xrdp_iso_send(xrdp_iso.c:638)] xrdp_iso_send: trans_write_copy_s failed
[20211029-10:22:58] [ERROR] [xrdp_mcs_disconnect(xrdp_mcs.c:1422)] Sending [ITU T.125] DisconnectProviderUltimatum failed
The above log was taken from a connection sequence from the mstsc.exe client when the client decided to prompt the user regarding the presented certificate:-
As well as not being very useful, the log messages are indistinguishable from those obtained if a connection attempt was made with no information being presented at all to the server (i.e. a rudimentary port scan).
Where a connection attempt is abandoned before being completed, a more informative message should be added to the log.
Something like: "Connection dropped before auth from: ::ffff:aaa.bbb.ccc.ddd port 53522" I'm not stuck on the exact format, but including ip and port and when it happened would be userful. In other words, was it just a tcp connection, or did the ssl handshake happen, etc. If there is an attempted login, that should trigger a different message that includes the attempted username. Thanks for opening this ticket!
See also #2505 where a legitimate tool (Terraform Consul) is causing the log to be spammed with messages. Ideally a port open/close with no data should be logged as such.
Agreed. Port open/close with no data should only log at a higher debug level. Though it would be nice if scanners would do tcp half open scans. If they do that, then the app layer never sees the scans. Perhaps things like: [date/time] [DEBUG] Connection dropped with no data from ::ffff:aaa.bbb.ccc.ddd port 53522 [date/time] [INFO] Connection dropped before auth from: ::ffff:aaa.bbb.ccc.ddd port 53522 [date/time] [WARNING] Failed login for user1 from from: ::ffff:aaa.bbb.ccc.ddd port 53522