Last week there were several unsuccessful login attempts to the xrdp server on a few of my systems. All the syslog logs for the day had to say was entries like below for each failed attempt:
Nov 1 23:48:56 servername sesman: pam_unix(sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 1 23:48:56 servername sesman: pam_unix(sesman:auth): check pass; user unknown
Not much to go on, is it? Fortunately, on one of my systems I had enabled iptables logging for connections to port 3389, so I was able to find the source IP address of the unauthorized accesses, and report them. It would be better if these sesman log entries from pam_unix had more useful information, e.g. if rhost= reported the client IP address. I think this would require that information being passed along from the RDP protocol handler to the sesman process, which is more complicated a fix than my limited understanding of the program code would allow. But doing this would allow other helpful features like passing the IP address on to the Xvnc session somehow, e.g. in an environment variable or some other file (see feature request #2028368).
Log in to post a comment.