How to handle port scanning and logs?

[araujofrancisco]

I have noticed that xrdp.log is growing fast due port scans and the error reported on SSL:

[20240424-09:09:04] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed
[20240424-09:09:04] [INFO ] Socket 12: AF_INET connection received from 193.56.116.205 port 50515
[20240424-09:09:04] [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|RDP], selected [SSL]
[20240424-09:09:04] [ERROR] SSL_accept: I/O error
[20240424-09:09:04] [ERROR] trans_set_tls_mode: ssl_tls_accept failed
[20240424-09:09:04] [ERROR] xrdp_sec_incoming: trans_set_tls_mode failed
[20240424-09:09:04] [ERROR] xrdp_rdp_incoming: xrdp_sec_incoming failed
[20240424-09:09:04] [ERROR] xrdp_process_main_loop: libxrdp_process_incoming failed
[20240424-09:09:04] [ERROR] xrdp_iso_send: trans_write_copy_s failed
[20240424-09:09:04] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed

This causes that the log file grow to about 70MB a day. I implemented some ipset/iptables rules to drop connection when a port scanner is detected, but it seems to detect just a few of them.

What are the strategies you apply in a similar situation? Are you setting logs for core only? Any reliable way to detect port scanners and stop them more effectively?

[matt335672]

This is a known problem - see #2040

The best solution to this is to use a VPN for any RDP connection. This guards against all sorts of problems, not just logging ones - it's in the FAQ

[araujofrancisco]

I know about the logging issue, however in this case is not possible to use a VPN, so I am looking for an alternative solution.

[matt335672]

The recommendation from us is to use a VPN.

If there are administrative reasons why this isn't possible, push back on them. We can't recommend running TCP port 3389 naked on the internet.