Port Forward/RDP Log
I have been looking for a way to log RDP access to PCs in my network that I have set up with port forwarding rules through server-manger.
Using ideas from “VPN practical tips” to create outside rdp:port to inside pc @rdp:3389, and then
Using ideas from “Documentation:FAQ#Firewall: Custom templates” I created a template in /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
92RDP_Logs
And added this
iptables -I ForwardedTCP -p tcp -j LOG --log-tcp-sequence --log-prefix "(Remote Desktop Access) "
I could only get this to work past file name 80xxx . It would not work at 42RDP_Logs.
Somehow though, this method produced a bug that affected the server-mangers ‘port forward’ from updating iptables with a new port forward rule.
So when I add a new port farword rule in server-manger I then
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
and everything works fine.
On the report side I set up cron that runs this next file. Thanks to dungog.net crontab, it emails me
#!/bin/bash
/bin/cat /var/log/messages*|/bin/grep 'Remote Desktop'|\
/bin/sed 's/smfserver02.*eth0//g'|/bin/sed 's/LEN.*URGP=0//'\
|/bin/sort -u|sort
#\>/home/e-smith/files/users/cdurbrow/home/logreports/remotelist
If I were a real programmer, it would be great to have the computer name and the ip address; the dates sorted better and even the user login.
The output looks like this
Apr 19 17:06:35 SRC=xx.181.244.61 DST=xxx.93.154.181
Apr 19 17:10:13 SRC=xx.181.244.61 DST=xxx.93.154.159
Apr 19 21:01:07 SRC=xx.198.230.134 DST=xxx.93.154.73
Apr 20 07:38:36 SRC=xx.231.131.77 DST=xxx.93.154.74
Apr 20 07:40:03 SRC=xx.231.131.77 DST=xxx.93.154.74
Apr 20 11:49:06 SRC=xx.231.131.77 DST=xxx.93.154.74
Any input from you all would be appreciated
2 Replies
2485 Views