The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.



Go to last post Go to first unread
#1 Posted : Thursday, August 6, 2015 5:56:11 PM(UTC)

Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/24/2010(UTC)
Posts: 33
United States

Thanks: 2 times
Was thanked: 5 time(s) in 5 post(s)
I played around with fail2ban and screenconnect today. Can someone make this an extension or make it more "sane"? Mainly a proof of concept that this can be done somewhat easily.

I know just enough to be dangerous, but I figured out that I could edit Login.aspx (which I assume is overriden at upgrades) and created some functionality to log login failures to /var/log/screenconnect's logfile.

It opens /var/log/screenconnect and appends a line for each login failure:

Aug 6 13:38:50 screenconnect(debian.domain.tld): Authentication failure from

Here is the relevant jail.local:


enabled = true
filter = screenconnect
logpath = /var/log/screenconnect
port = 8040

Here is filter.d/screenconnect.conf:

# Fail2Ban configuration file
# Author: Rich Kreider


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


_daemon = screenconnect

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
failregex = ^%(__prefix_line)sAuthentication failure from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

Here is the modified lines of Login.aspx:

Find this line (Line 66 of latest build as of this writing) and add line #68 below:

 66                         else if (result == LoginResult.UserNameOrPasswordInvalid)
 67                         {
 68                                 File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d H:mm:ss") + " screenconnect(" + Dns.GetHostName() +"): Authentication failure from " + GetIPAddr    ess() +  Environment.NewLine);
 69                                 throw new System.Security.SecurityException("Invalid credentials");
 70                         }

I copied from the internets this function to get the IP address of a host (for logging ability called above on line 68). Add this before the ending script tag.

 90 protected string GetIPAddress()
 91 {
 92     System.Web.HttpContext context = System.Web.HttpContext.Current;
 93     string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
 95     if (!string.IsNullOrEmpty(ipAddress))
 96     {
 97         string[] addresses = ipAddress.Split(',');
 98         if (addresses.Length != 0)
 99         {
100             return addresses[0];
101         }
102     }
104     return context.Request.ServerVariables["REMOTE_ADDR"];
105 }

#2 Posted : Wednesday, August 12, 2015 10:55:53 PM(UTC)

Rank: Member

Joined: 7/2/2013(UTC)
Posts: 27
Location: Planet Earth

Thanks: 1 times
+1 for this. I love fail2ban!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.