Open matt335672 opened 2 years ago
Something like: "Connection dropped before auth from: ::ffff:aaa.bbb.ccc.ddd port 53522" I'm not stuck on the exact format, but including ip and port and when it happened would be userful. In other words, was it just a tcp connection, or did the ssl handshake happen, etc. If there is an attempted login, that should trigger a different message that includes the attempted username. Thanks for opening this ticket!
See also #2505 where a legitimate tool (Terraform Consul) is causing the log to be spammed with messages. Ideally a port open/close with no data should be logged as such.
Agreed. Port open/close with no data should only log at a higher debug level. Though it would be nice if scanners would do tcp half open scans. If they do that, then the app layer never sees the scans. Perhaps things like: [date/time] [DEBUG] Connection dropped with no data from ::ffff:aaa.bbb.ccc.ddd port 53522 [date/time] [INFO] Connection dropped before auth from: ::ffff:aaa.bbb.ccc.ddd port 53522 [date/time] [WARNING] Failed login for user1 from from: ::ffff:aaa.bbb.ccc.ddd port 53522
This issue has been prompted by a discussion with @timriker in #1976.
When an initial connection is made to the xrdp process which is subsequently dropped, the logging is not at all useful (e.g.) :-
The above log was taken from a connection sequence from the mstsc.exe client when the client decided to prompt the user regarding the presented certificate:-
As well as not being very useful, the log messages are indistinguishable from those obtained if a connection attempt was made with no information being presented at all to the server (i.e. a rudimentary port scan).
Where a connection attempt is abandoned before being completed, a more informative message should be added to the log.