How to handle port scanning and logs? #3045
Replies: 1 comment 2 replies
-
|
This is a known problem - see #2040 The best solution to this is to use a VPN for any RDP connection. This guards against all sorts of problems, not just logging ones - it's in the FAQ |
Beta Was this translation helpful? Give feedback.
-
|
I know about the logging issue, however in this case is not possible to use a VPN, so I am looking for an alternative solution. |
Beta Was this translation helpful? Give feedback.
-
|
The recommendation from us is to use a VPN. If there are administrative reasons why this isn't possible, push back on them. We can't recommend running TCP port 3389 naked on the internet. |
Beta Was this translation helpful? Give feedback.
-
I have noticed that xrdp.log is growing fast due port scans and the error reported on SSL:
[20240424-09:09:04] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed
[20240424-09:09:04] [INFO ] Socket 12: AF_INET connection received from 193.56.116.205 port 50515
[20240424-09:09:04] [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|RDP], selected [SSL]
[20240424-09:09:04] [ERROR] SSL_accept: I/O error
[20240424-09:09:04] [ERROR] trans_set_tls_mode: ssl_tls_accept failed
[20240424-09:09:04] [ERROR] xrdp_sec_incoming: trans_set_tls_mode failed
[20240424-09:09:04] [ERROR] xrdp_rdp_incoming: xrdp_sec_incoming failed
[20240424-09:09:04] [ERROR] xrdp_process_main_loop: libxrdp_process_incoming failed
[20240424-09:09:04] [ERROR] xrdp_iso_send: trans_write_copy_s failed
[20240424-09:09:04] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed
This causes that the log file grow to about 70MB a day. I implemented some ipset/iptables rules to drop connection when a port scanner is detected, but it seems to detect just a few of them.
What are the strategies you apply in a similar situation? Are you setting logs for core only? Any reliable way to detect port scanners and stop them more effectively?
Beta Was this translation helpful? Give feedback.
All reactions