logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
rjkreider  
#1 Posted : Thursday, August 6, 2015 5:56:11 PM(UTC)
rjkreider


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/24/2010(UTC)
Posts: 33
Man
United States

Thanks: 2 times
Was thanked: 5 time(s) in 5 post(s)
I played around with fail2ban and screenconnect today. Can someone make this an extension or make it more "sane"? Mainly a proof of concept that this can be done somewhat easily.

I know just enough to be dangerous, but I figured out that I could edit Login.aspx (which I assume is overriden at upgrades) and created some functionality to log login failures to /var/log/screenconnect's logfile.

It opens /var/log/screenconnect and appends a line for each login failure:

Aug 6 13:38:50 screenconnect(debian.domain.tld): Authentication failure from 192.168.1.99


Here is the relevant jail.local:

Code:
[screenconnect]

enabled = true
filter = screenconnect
logpath = /var/log/screenconnect
port = 8040


Here is filter.d/screenconnect.conf:

Code:
# Fail2Ban configuration file
#
# Author: Rich Kreider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = screenconnect

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)sAuthentication failure from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


Here is the modified lines of Login.aspx:

Find this line (Line 66 of latest build as of this writing) and add line #68 below:

Code:
 66                         else if (result == LoginResult.UserNameOrPasswordInvalid)
 67                         {
 68                                 File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d H:mm:ss") + " screenconnect(" + Dns.GetHostName() +"): Authentication failure from " + GetIPAddr    ess() +  Environment.NewLine);
 69                                 throw new System.Security.SecurityException("Invalid credentials");
 70                         }


I copied from the internets this function to get the IP address of a host (for logging ability called above on line 68). Add this before the ending script tag.

Code:
 90 protected string GetIPAddress()
 91 {
 92     System.Web.HttpContext context = System.Web.HttpContext.Current;
 93     string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
 94
 95     if (!string.IsNullOrEmpty(ipAddress))
 96     {
 97         string[] addresses = ipAddress.Split(',');
 98         if (addresses.Length != 0)
 99         {
100             return addresses[0];
101         }
102     }
103
104     return context.Request.ServerVariables["REMOTE_ADDR"];
105 }

jonc  
#2 Posted : Wednesday, August 12, 2015 10:55:53 PM(UTC)
jonc


Rank: Member

Joined: 7/2/2013(UTC)
Posts: 27
Location: Planet Earth

Thanks: 1 times
+1 for this. I love fail2ban!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.