logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
RichardX720  
#1 Posted : Saturday, August 6, 2016 10:03:48 PM(UTC)
RichardX720


Rank: Newbie

Joined: 2/4/2016(UTC)
Posts: 4
Netherlands
Location: Amsterdam

Good Day,

I run SC on a Ubuntu 14.04 server. Is there any way to pipe the failed login attempts and IP to a log file? Then I can implement fail2ban to watch that log..

Thank you for your time in this matter.
Scott  
#2 Posted : Tuesday, August 9, 2016 12:57:13 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,398
United States

Thanks: 3 times
Was thanked: 297 time(s) in 255 post(s)
To my knowledge we don't currently have anything like this, but you may want to check out this thread.
ScreenConnect Team
RichardX720  
#3 Posted : Wednesday, August 10, 2016 2:03:20 AM(UTC)
RichardX720


Rank: Newbie

Joined: 2/4/2016(UTC)
Posts: 4
Netherlands
Location: Amsterdam

Thanks for the heads up. Unfortunately, that thread is related to Windows installations. I am running SC on Linux. Are there any logs at all that SC creates or is everything in the DB, i.e. what its doing etc..? From what I can tell, when you do a HTTP query on port 80 or 443, it states the the web server is ScreenConnect itself. Is there any documentation on how this is running http?

Thanks

Richard

Edited by user Wednesday, August 10, 2016 2:08:26 AM(UTC)  | Reason: Not specified

Scott  
#4 Posted : Wednesday, August 10, 2016 12:58:18 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,398
United States

Thanks: 3 times
Was thanked: 297 time(s) in 255 post(s)
Ah, I missed that, thanks for the correction!

We don't log each and every authentication attempt, but we do store DateTime information from the latest attempt per use that could be helpful for you. Within the User.xml (/opt/screenconnect/App_Data/User.xml by default) file we store:


  • LastActivityDate
  • LastLockoutDate
  • LastLoginDate
  • LastPasswordChangedDate


In addition to whether or not the user is currently locked out.

Again, not necessarily the exact thing you're looking for, but I can think of a few potential bash scripts that could be implemented to "monitor" this file for changes to those values.
ScreenConnect Team
TheRuleOfTheGame  
#5 Posted : Saturday, January 28, 2017 9:25:08 PM(UTC)
TheRuleOfTheGame


Rank: Guest

Joined: 1/28/2017(UTC)
Posts: 1

I wanted this badly because we just moved from Windows to Linux. Yes we didnt have this on Windows but we lost a datacenter and we had to move everything. I finally got this to work however because of lack of support so far with IPv6 and fail2ban I couldnt get IPv6 to work but got IPv4 to work!!

Your going to have to edit some files but I will walk you through it! Lucky for ScreenConnect its only one file we have to change Login.aspx

Open this up and we need to add the following right after line 49
Open Login.aspx with either nano or your favorite text editor and adding the following two lines under line 49

Line 49 looks like this on version 6.1.12232.6229 but as long as you add it before the starting if/else statements your perfect!
Code:
var result = WebAuthentication.TryLogin(userName, password, oneTimePassword, this.Context);


Code:
System.Web.HttpContext context = System.Web.HttpContext.Current;
string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];


What the lines above will do is set a variable to ipAddress so we can see what address they are using, we will use this for the log file.

Next you will need to find two different else if statements.

Find this line, for me it was line 83
Code:
else if (result == LoginResult.UserNameInvalid)


Put this inside the if else statement

Code:
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d HH:mm:ss") + " Authentication failure from " + ipAddress + Environment.NewLine);


It will look something like this after your done

Code:
else if (result == LoginResult.UserNameInvalid)
{
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d HH:mm:ss") + " Authentication failure from " + ipAddress + Environment.NewLine);
throw new System.Security.SecurityException(WebResources.GetString("LoginPanel.InvalidUserNameText"));
}


After that you need to edit the line right under that and it should be line 83 which looks like

Code:
else if (result == LoginResult.PasswordInvalid)


Put this inside the if else statement

Code:
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d HH:mm:ss") + " Authentication failure from " + ipAddress + Environment.NewLine);


It will look something like this after your done

Code:
else if (result == LoginResult.PasswordInvalid)
{
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d HH:mm:ss") + " Authentication failure from " + ipAddress + Environment.NewLine);
throw new System.Security.SecurityException(WebResources.GetString("LoginPanel.InvalidPasswordText"));
}


Thats it for the mods to screenconnect, something so simple I dont know why they didnt included this in the first place. Next you will have to make sure you have fail2ban installed. If you dont know how to do this take a look at https://www.linode.com/d...ng-fail2ban-for-security they have a great HowTo get it done!

After fail2ban is installed or you already had it installed we need to edit the jail.conf thats located in /etc/fail2ban/jail.conf

Just add the following lines to the config, the bottom will be fine.

Code:
[screenconnect]

enabled  = true
port     = http,https
filter   = screenconnect
logpath  = /var/log/screenconnect
maxretry = 10


The maxretry means someone can try 10 times before the system bans them. You can adjust this to your needs but just a far warning this will ban you from the whole system so if you have exposed your SSH port you will not be able to SSH to unblock yourself.

Next you need to create a filter. For my Ubuntu setup its located in /etc/fail2ban/filter.d/screenconnect.conf I created it using my favotire text editor or you can use nano

Code:
nano /etc/fail2ban/filter.d/screenconnect.conf


Once inside the file copy and paste the following information into it

Code:
[INCLUDES]

before = common.conf

[Definition]
failregex = ^%(__prefix_line)sAuthentication failure from <HOST>$

ignoreregex =


Exit and save this file and restart fail2ban

Code:
service fail2ban restart


If everything works fail2ban service should be running!

Now that this is all done go test it, I would recommend using an IP address thats not tied to your main IP. For example I used my cell phone to try to log in and while I was on my computer I was checking the /var/log/screenconnect file for the "Authentication failure from *" logs. After 10 tries I was banned from my server :)

NOTE!!!! Every time you upgrade ScreenConnect it will most likely upgrade your Login.aspx file so I could recommend making a backup of it in another location in case you upgrade and it overwrites your settings. I would recommend using the new file when new ones come out and just reapplying these settings!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.