Can not detect logins

[FlavijeC]

Hello OS: Windows Server 2012 R2. [x64 Virtual Private Server]. Service is running properly. But not detecting logins: no success or failure. Also system do not ban,

Audit Policies are turned on: "Local Policies -> Audit Policy and turn failure logging on for "audit account logon events" and "audit logon events"."

Is it possible to check existance in Windows Event Viewer for events IPBan use?

Thanks

[jjxtra]

Check security section of event viewer. You can also check the terminal services logs in event viewer. Is nla off?

[FlavijeC]

Hi NTLM login is not disabled. Reason: After disabling RDC could not login. Error is: "An authentication error has occurred. The function requested is not supported.

Remote computer: ip address This could be due to CredSSP encryption oracle remediation."

[jjxtra]

Can you post the raw xml instead? That will be more helpful, feel free to change the ip address.

[FlavijeC]

Ok. How to do that? What is raw xml?

[jjxtra]

In the event viewer for the event click 'Details' tab and then XML.

[FlavijeC]

Interesting.... When I click "Details" tab Event Viewer [Snap-in] crashes with the following message: "MMC" has detected an error in a snap-in and will unload it."

Error ID: FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}

[jjxtra]

Hmmm. Well that's bad. Without the XML I am unable to add a hook in ipban to find the event and add a failed login.

You could try https://serverfault.com/questions/353434/export-entire-windows-log-to-xml

[FlavijeC]

Ok. I will resolve this and post it.. Thanks

[FlavijeC]

+ <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" /> 
  <EventID>131</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2019-12-30T05:48:02.920965000Z" /> 
  <EventRecordID>3052</EventRecordID> 
  <Correlation ActivityID="{F4201D86-EE9B-4D30-8A42-7DE305140000}" /> 
  <Execution ProcessID="1456" ThreadID="1624" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>WIN-IV32CV91V34</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="ConnType">TCP</Data> 
  <Data Name="ClientIP">x.x.x.x:50354</Data> 
  </EventData>
  </Event>

[FlavijeC]

And logfile.txt

2019-12-29 19:19:35.5696|WARN|DigitalRuby.IPBanCore.Logger|Stopped IPBan service
2019-12-29 19:19:48.0356|WARN|DigitalRuby.IPBanCore.Logger|Running as a Windows service
2019-12-29 19:20:04.2106|WARN|DigitalRuby.IPBanCore.Logger|Loaded firewall type DigitalRuby.IPBanCore.IPBanWindowsFirewall
2019-12-29 19:20:04.3333|WARN|DigitalRuby.IPBanCore.Logger|Syncing firewall and ipban.sqlite database...
2019-12-29 19:20:04.4128|WARN|DigitalRuby.IPBanCore.Logger|0 total ip addresses in the ipban.sqlite database
2019-12-29 19:20:05.7911|WARN|DigitalRuby.IPBanCore.Logger|Event viewer query string: <QueryList><Query Id='1' Path='Security'><Select Path='Security'>*[System[(band(Keywords,9227875636482146304))]]</Select></Query><Query Id='2' Path='Security'><Select Path='Security'>*[System[(band(Keywords,9227875636482146304))]]</Select></Query><Query Id='3' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='4' Path='Application'><Select Path='Application'>*[System[(band(Keywords,40532396646334464))]]</Select></Query><Query Id='5' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='6' Path='System'><Select Path='System'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='7' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='8' Path='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'><Select Path='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'>*[System[(band(Keywords,4611686018427387904))]]</Select></Query><Query Id='9' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query></QueryList>
2019-12-29 19:20:05.7911|WARN|DigitalRuby.IPBanCore.Logger|Ignoring event viewer path OpenSSH/Operational
2019-12-29 19:20:07.6689|WARN|DigitalRuby.IPBanCore.Logger|Updating firewall with 0 entries...
2019-12-29 19:20:07.7013|WARN|DigitalRuby.IPBanCore.Logger|IPBan Windows service started and initialized. Operating System: Name: Windows, Version: 6.3.9600, Friendly Name: Microsoft Windows Server 2012 R2 Standard, Description: Microsoft Windows 6.3.9600
2019-12-29 19:20:07.7013|WARN|DigitalRuby.IPBanCore.Logger|Log levels: True,True,True,False,False,False

[jjxtra]

Are all the XML you shared failed login attempts?

[FlavijeC]

Yes. Thats right

[jjxtra]

I will add unit tests for the last one, the other ones do not have a valid ip address and so cannot be used. I think this is a case where NTLM is turned on and people are trying to login with NTLM and Windows is not smart enough to get the ip address. Solution is to disable NTLM.

[FlavijeC]

Any idea why Windows not logged ip addressed from failed login attemps?

[jjxtra]

Server 2012 (and worse even for 2008) has some issues with this. Turning off NTLM is a big help. More info here: https://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve

[FlavijeC]

👍 I will check it out. Thank you

[jjxtra]

I am blocking that same XML but only with opcode 14. I am a little worried about adding opcode 15 which is what your XML has. If you successfully login, what opcode do you get?

[jjxtra]

I just did a test on server 2012, logged in successfully, got opcode 15 that looked identical to your XML, so I can't block on that opcode.

[FlavijeC]

This is unsuccessfully login from RemoteDesktopServices-RdpCoreTS with event id 131

+ <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" /> 
  <EventID>131</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2019-12-30T15:12:06.577100800Z" /> 
  <EventRecordID>3062</EventRecordID> 
  <Correlation ActivityID="{F4208B84-5122-4526-8ED3-5F0B8E4C0000}" /> 
  <Execution ProcessID="1456" ThreadID="1624" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>WIN-T2</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="ConnType">TCP</Data> 
  <Data Name="ClientIP">x.x.x.x:14836</Data> 
  </EventData>
  </Event>

[FlavijeC]

This is successfully login from RemoteDesktopServices-RdpCoreTS with event id 131

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" /> 
  <EventID>131</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2019-12-30T15:15:07.702163900Z" /> 
  <EventRecordID>3067</EventRecordID> 
  <Correlation ActivityID="{F42071A2-60C6-4768-91CA-5C5E1EC90000}" /> 
  <Execution ProcessID="1456" ThreadID="1624" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>WIN-DD</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="ConnType">TCP</Data> 
  <Data Name="ClientIP">x.x.x.x:50774</Data> 
  </EventData>
  </Event>

[FlavijeC]

At this time I performed the following actions: [after them IPBan works as charm] As described in https://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve

Required Computer Configuration\Windows Settings\Security Settings\Security Options

Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts

After these steps I could not login to RDP duo the following error:

"An authentication error has occurred. The function requested is not supported.

Remote computer: ip address This could be due to CredSSP encryption oracle remediation."

Then I performed LAST STEP; Right click to This Pc, Properties, Remote Settings and UNCKECK: Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)

After this LAST STEP, I could login on the following way: RDC always connect to VPS [accept certificate meanwhile], ans shows me Windows Interactive Login Screen. And I have to manually enter password in Login.

Could you confirm me that behavior of this LAST STEP is normal?

[jjxtra]

Yes it's normal. I don't see a difference between the failed and success login XML and therefore unfortunately cannot use it.

[FlavijeC]

Considering last post we can close this ticket. Information above can be used to setup Win 2012 with IPBan.

Thanks again for your support and thanks for this wonderful piece of software Jeff.

[jjxtra]

You are welcome, happy new year!

[FlavijeC]

Happy new year!