Topic: Port forward and logging connection

[Drifting]

Hi All.

I have a port forward for RDP setup on our SME server over to a Windows server, is there anything that would log access through this? with the IP addresses? IPtables was rather daunting to just scan through and would I assume overwrite at some stage. I am interested to know who connected over time.

Paul

[mmccarn]

You'd have to make some pretty serious customizations to the templates with 'Forward' in the name from this folder: /sbin/e-smith/audittools/templates

When done you'd have log files that grow pretty quickly.

I wanted to do the same thing a few years ago; I started with a powershell script that shows RDP logins -- but that script won't show the remote IP addresses.

I couldn't get an easy, succinct report from my firewall (Smoothwall, not SME) showing RDP IP connections, so we ended up writing a custom program that doesn't actually work that well.

In case it's helpful to you, here are the powershell script and batch file we used for a while that shows *who* has connected - locally or remotely - in the last 14 days.  Login event type 7 (RDP Login) does include an IP address, so you may be able to modify this script to show the remote IP address used.

Code: (userLogins.ps1) [Select]

# Connects to the security eventlog of a remote computer and retrieves successful login events ( event ID 528 ) and what type of login took place
# Information about login types found at http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528
#
# 22.09.2009 Konrß≡ Hall

$wkstn = $args[0]
$after = [DateTime]::Now.AddDays(-14)
$events =  Get-EventLog -ComputerName $wkstn -LogName "Security" -after $after | Where {($_.eventid -eq 528) }

if ($events) {
foreach ( $event in $events      ) {

if (($wkstn -eq "acctg") -and ($event.message | Select-String "Logon Type:      2")) {
        $wkstn+ "       TS      " + $event.UserName +"  "+ $event.TimeGenerated.DateTime+"      "+ $after
        }
if (($wkstn -ne "acctg") -and ($event.message | Select-String "Logon Type:      2")){
        $wkstn+ "       Kbd     "+$event.UserName + "   "+ $event.TimeGenerated.DateTime+"      "+ $after
        }

        if (($event.message | Select-String "Logon Type:        7")){

                $wkstn + "      Unlock  "+ $event.UserName +"   "+ $event.TimeGenerated.DateTime+"      "+ $after

        }
        if (($event.message | Select-String "Logon Type:        10")){

                $wkstn + "      RDP     "+$event.UserName +"    "+ $event.TimeGenerated.DateTime+"      "+ $after

        }

        if (($event.message | Select-String "Logon Type:        11")){

                $wkstn+ "       Cached  "+$event.UserName +"    "+ $event.TimeGenerated.DateTime+"      "+ $after

        }

}
}
else {$wkstn+ " No Logins"+"    " +"    " +"    "+ $after}

I use this batch file to call the above powershell script for a range of workstation names:

Code: (userLogins.bat) [Select]

@echo off
set logfile=%~dp0Logins_%date:~10,4%%date:~4,2%%date:~7,2%.xls
echo Computer   Type    Username        Time    Since> %logfile%

for %%w in (acctg backup01 webdev vm001 vm002 vm003  sql2005) do (
        set wkstn=%%w
        call :getlogins
        )
goto :done



:getlogins
echo %wkstn%
ping -n 1 -w 2 %wkstn% >nul 2>nul
if "%errorlevel%" == "0" (
powershell %~dp0userlogins.ps1 %wkstn%          |find "%wkstn%" >> %logfile%
goto :eof
)
echo %wkstn%    No PING >> %logfile%
goto :eof

:done


[Drifting]

Oh nice.

Thanks, as the saying goes, a solution is better than no solution. Must admit was thinking of something that logged on the sme, but I am probably safer with Windows as I have more experience of that.

Thankyou.

Paul.

[guest22]

Any chance this can be wikinized pls?

[Stefano]

Oh nice.

Thanks, as the saying goes, a solution is better than no solution. Must admit was thinking of something that logged on the sme, but I am probably safer with Windows as I have more experience of that.

Thankyou.

Paul.

you should:
- find something like NTSyslog for your windows server
- configure SME to be a syslog server (see wiki)
- configure your server to send events to SME
- filter /var/log/messages with your favourite tool

HTH

[mmccarn]

Any chance this can be wikinized pls?

If you're talking about the powershell script I posted:
Without the remote IP address I found this solution basically lacking, and don't know that it belongs on the SME server wiki.

I ran across the original script again this morning when googling 'powershell rdp logins', but now I'm only finding references to complicated looking scripts on Microsoft technet:
http://gallery.technet.microsoft.com/scriptcenter/Collect-RDP-logon-entries-dc3e19d0


NOTE:
For the powershell script above to work, you have to enable login/logoff auditing:
http://support.microsoft.com/kb/556015
http://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

Like Paul, I would much prefer to have monitoring software on my firewall -- or perhaps a combination (connection monitoring on the firewall for IP info combined with connection monitoring on the windows box for usernames).

[CharlieBrady]

I have a port forward for RDP setup on our SME server over to a Windows server, is there anything that would log access through this? with the IP addresses? IPtables was rather daunting to just scan through and would I assume overwrite at some stage. I am interested to know who connected over time.

The iptables rules could be changed to log as well as allow. Those logs would only show the connecting IP address, not the "who" connected.