From 2224b3db4a5e9bf045131f02bd92cec8945e1e7d Mon Sep 17 00:00:00 2001 From: Evan Linde Date: Thu, 7 Apr 2022 20:51:20 -0500 Subject: [PATCH 1/6] extend date regex to include xrdp's %Y%m%d-%H:%M:%S format --- fail2ban/server/datedetector.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/server/datedetector.py b/fail2ban/server/datedetector.py index b90e1b26..53d055bc 100644 --- a/fail2ban/server/datedetector.py +++ b/fail2ban/server/datedetector.py @@ -165,8 +165,8 @@ class DateDetectorCache(object): r"%b %d, %ExY %I:%M:%S %p", # ASSP: Apr-27-13 02:33:06 r"^%b-%d-%Exy %k:%M:%S", - # 20050123T215959, 20050123 215959, 20050123 85959 - r"%ExY%Exm%Exd(?:T| ?)%ExH%ExM%ExS(?:[.,]%f)?(?:\s*%z)?", + # 20050123T215959, 20050123 215959, 20050123 85959, 20050123-21:59:59 + r"%ExY%Exm%Exd(?:-|T| ?)%ExH:?%ExM:?%ExS(?:[.,]%f)?(?:\s*%z)?", # prefixed with optional named time zone (monit): # PDT Apr 16 21:05:29 r"(?:%Z )?(?:%a )?%b %d %k:%M:%S(?:\.%f)?(?: %ExY)?", From 11768a97e96d1f0c73e582c7f34e4b1c21a76387 Mon Sep 17 00:00:00 2001 From: Evan Linde Date: Thu, 7 Apr 2022 21:34:33 -0500 Subject: [PATCH 2/6] add filter for xrdp --- ChangeLog | 1 + config/filter.d/xrdp.conf | 34 +++++++++++++++++++++++++++++++ config/jail.conf | 6 ++++++ fail2ban/tests/files/logs/xrdp | 37 ++++++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 config/filter.d/xrdp.conf create mode 100644 fail2ban/tests/files/logs/xrdp diff --git a/ChangeLog b/ChangeLog index d386ceef..cb2959a5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -45,6 +45,7 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition - new options `kill-mode` and `kill` to drop established connections of intruder (see action for details, gh-3018) * `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`) mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881 +* `filter.d/xrdp.conf` - new filter for XRDP, an open source RDP server ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools diff --git a/config/filter.d/xrdp.conf b/config/filter.d/xrdp.conf new file mode 100644 index 00000000..c625b496 --- /dev/null +++ b/config/filter.d/xrdp.conf @@ -0,0 +1,34 @@ +# +# Fail2Ban filter for XRDP +# +# Detects login attempts with invalid credentials +# +# Requirements: +# - xrdp >= 0.9.19 +# - The log level in sesman.ini should be set to `INFO` or higher +# to emit the log messages needed for this filter. +# +# Author: Evan Linde +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[DEFAULT] + +_daemon = xrdp-sesman + + +[Definition] + +authfail_re = \[INFO \] AUTHFAIL: user=.+ ip= time=\d+ + +failregex = ^%(__prefix_line)s%(authfail_re)s$ + +ignoreregex = + + diff --git a/config/jail.conf b/config/jail.conf index fe8db527..f04e8be7 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -978,3 +978,9 @@ banaction = %(banaction_allports)s [monitorix] port = 8080 logpath = /var/log/monitorix-httpd + + +[xrdp] +port = 3389 +logpath = /var/log/xrdp-sesman.log + diff --git a/fail2ban/tests/files/logs/xrdp b/fail2ban/tests/files/logs/xrdp new file mode 100644 index 00000000..1a9e8ee2 --- /dev/null +++ b/fail2ban/tests/files/logs/xrdp @@ -0,0 +1,37 @@ +# +# /var/log/xrdp-sesman.log -- should be about the same on any linux distro +# + +# failJSON: { "time": "2022-04-07T12:11:06", "match": true, "host": "10.171.161.151"} +[20220407-12:11:06] [INFO ] AUTHFAIL: user=badtypist ip=::ffff:10.171.161.151 time=1649351466 + +# ip injection: 10.171.161.151 should be matched as the host; 192.168.0.1 is an innocent, injected address +# failJSON: { "time": "2022-04-07T12:11:24", "match": true, "host": "10.171.161.151", "desc": "specifying ip address as username"} +[20220407-12:11:24] [INFO ] AUTHFAIL: user=192.168.0.1 ip=::ffff:10.171.161.151 time=1649351484 + +# ip injection: 10.171.161.151 should be matched as the host; 192.168.0.4 is an innocent, injected address +# failJSON: { "time": "2022-04-07T12:22:02", "match": true, "host": "10.171.161.151", "desc": "more devious log injection"} +[20220407-12:22:02] [INFO ] AUTHFAIL: user=loginjector ip=192.168.0.4 time=123456789\n[20220407-12:16:59] [INFO ] AUTHFAIL: user=endinjection ip=::ffff:10.171.161.151 time=1649352122 + + +# +# /var/log/messages -- RHEL/Fedora family +# + +# failJSON: { "time": "2005-04-07T12:11:06", "match": true, "host": "10.171.161.151"} +Apr 7 12:11:06 servername xrdp-sesman[41441]: [INFO ] AUTHFAIL: user=badtypist ip=::ffff:10.171.161.151 time=1649351466 + +# ip injection: 10.171.161.151 should be matched as the host; 192.168.0.1 is an innocent, injected address +# failJSON: { "time": "2005-04-07T12:11:24", "match": true, "host": "10.171.161.151", "desc": "specifying ip address as username"} +Apr 7 12:11:24 servername xrdp-sesman[41441]: [INFO ] AUTHFAIL: user=192.168.0.1 ip=::ffff:10.171.161.151 time=1649351484 + +# ip injection: 10.171.161.151 should be matched as the host; 192.168.0.4 is an innocent, injected address +# failJSON: { "time": "2005-04-07T12:22:02", "match": true, "host": "10.171.161.151", "desc": "more devious log injection"} +Apr 7 12:22:02 servername xrdp-sesman[41441]: [INFO ] AUTHFAIL: user=loginjector ip=192.168.0.4 time=123456789\n[20220407-12:16:59] [INFO ] AUTHFAIL: user=endinjection ip=::ffff:10.171.161.151 time=1649352122 + +# ip injection: innocent, injected ip 192.168.0.4 in a line that shouldn't contain a host +# failJSON: { "match": false } +Apr 7 12:22:02 servername xrdp[52415]: [INFO ] xrdp_wm_log_msg: login failed for user loginjector ip=192.168.0.4 time=12345\n[20220407-12:16:59] [INFO ] AUTHFAIL: user=endinjection + +# failJSON: { "match": false } +Apr 7 12:22:02 servername xrdp[52415]: [INFO ] n[20220407-12:16:59] [INFO ] AUTHFAIL: user=endinjection From 6a2d2aa97a4675980a475fbdf9024b4bddf06a7f Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Fri, 8 Apr 2022 09:55:44 +0200 Subject: [PATCH 3/6] capture user, add datepattern (anchored exact main format and fail2ban defaults) --- config/filter.d/xrdp.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/filter.d/xrdp.conf b/config/filter.d/xrdp.conf index c625b496..6937acb8 100644 --- a/config/filter.d/xrdp.conf +++ b/config/filter.d/xrdp.conf @@ -25,10 +25,11 @@ _daemon = xrdp-sesman [Definition] -authfail_re = \[INFO \] AUTHFAIL: user=.+ ip= time=\d+ +authfail_re = \[INFO \] AUTHFAIL: user=.+ ip= time=\d+ failregex = ^%(__prefix_line)s%(authfail_re)s$ ignoreregex = - +datepattern = ^\[?%%ExY%%Exm%%Exd[-|T]%%ExH:?%%ExM:?%%ExS(?:[.,]%%f)?(?:\s*%%z)?\]? + ^{DATE} From 64983ecc29239b015e324f23c1f4635c5d3164e9 Mon Sep 17 00:00:00 2001 From: evanlinde Date: Fri, 8 Apr 2022 09:48:35 -0500 Subject: [PATCH 4/6] Make added date pattern specific to xrdp's format --- config/filter.d/xrdp.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/xrdp.conf b/config/filter.d/xrdp.conf index 6937acb8..803219f6 100644 --- a/config/filter.d/xrdp.conf +++ b/config/filter.d/xrdp.conf @@ -31,5 +31,5 @@ failregex = ^%(__prefix_line)s%(authfail_re)s$ ignoreregex = -datepattern = ^\[?%%ExY%%Exm%%Exd[-|T]%%ExH:?%%ExM:?%%ExS(?:[.,]%%f)?(?:\s*%%z)?\]? +datepattern = ^\[?%%ExY%%Exm%%Exd-%%ExH:%%ExM:%%ExS\]? ^{DATE} From 5a0224ff0e68c39239cc16f184b5dde15a2dc229 Mon Sep 17 00:00:00 2001 From: evanlinde Date: Fri, 8 Apr 2022 09:52:52 -0500 Subject: [PATCH 5/6] Use potentially faster regex for username match --- config/filter.d/xrdp.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/xrdp.conf b/config/filter.d/xrdp.conf index 803219f6..253bcf8d 100644 --- a/config/filter.d/xrdp.conf +++ b/config/filter.d/xrdp.conf @@ -25,7 +25,7 @@ _daemon = xrdp-sesman [Definition] -authfail_re = \[INFO \] AUTHFAIL: user=.+ ip= time=\d+ +authfail_re = \[INFO \] AUTHFAIL: user=(?:\S+|.+) ip= time=\d+ failregex = ^%(__prefix_line)s%(authfail_re)s$ From 45453826a3734667ac735e43d3598d19344f5ac1 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Sun, 7 Dec 2025 01:18:04 +0100 Subject: [PATCH 6/6] small amend with missing newline --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index e72ba19b..d0b3fa44 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -998,4 +998,4 @@ logpath = /var/log/vaultwarden.log [xrdp] port = 3389 -logpath = /var/log/xrdp-sesman.log \ No newline at end of file +logpath = /var/log/xrdp-sesman.log