Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Jun 2018
    Posts
    6

    Default Client created many RDP sessions - SServerAddr NOT a local address

    I'm getting alert emails for which i'm having a hard time figuring out.

    I've received over a dozen of these emails over that last couple of weeks.

    I have NO RDP ports forwarded.

    ----

    The following event occurred on the Untangle Server @ 2018-06-03 21:06:33.644

    Suspicious Activity: Client created many RDP sessions:
    Session [TCP] 98.143.148.15:64926 -> xx.xxx.xxx.xx:3389

    Causal Event: SessionEvent
    {
    "entitled": true,
    "CClientAddr": "/98.143.148.15",
    "SClientAddr": "/98.143.148.15",
    "sessionId": 100043138215703,
    "CClientPort": 64926,
    "timeStamp": "2018-06-03 21:06:33.644",
    "hostname": "xx.xxx.xxx.xx",
    "CServerPort": 3389,
    "clientIntf": 1,
    "protocol": 6,
    "policyId": 0,
    "SClientPort": 64926,
    "protocolName": "TCP",
    "SServerPort": 3389,
    "bypassed": true,
    "CServerAddr": "/xx.xxx.xxx.xx",
    "localAddr": "/xx.xxx.xxx.xx",
    "SServerAddr": "/xx.xxx.xxx.xx",
    "remoteAddr": "/98.143.148.15",
    "serverIntf": 1
    }

    This is an automated message sent because the event matched the configured Event Rules.

    ----

    They each have a different SServerAddrbut but are part of the same subnet. The addresses resolves to my local ISPs ranges but not MY static WAN address. When looking at the sessions list it shows both interfaces as external.

    Thanks!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,245

    Default

    Can you give us an idea if the xx.x.x.x IPs are local or Internet?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,701

    Default

    Yeah if you want help interpreting an error message, you need to provide that error message. If you aren't comfortable posting that information completely, you need to work with Untangle support.

    We can't help you based on incomplete information, sorry.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Jun 2018
    Posts
    6

    Default

    Sorry, here's a few of the address that it was trying to RDP too.

    From To
    74.93.155.229 --> 74.205.130.53
    98.143.148.15 --> 74.205.130.54
    195.215.36.232 --> 74.205.130.62
    36.99.44.47 --> 74.205.130.51
    113.160.165.237 74.205.130.63

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,701

    Default

    That doesn't make much sense... Did you enable SSH or remote management? Because those are public addresses to public addresses, and your Untangle shouldn't be doing that unless it's been compromised or horribly misconfigured.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Jun 2018
    Posts
    6

    Default

    SSH is not enabled. I have HTTPS on WAN enabled but using a different non standard port number.
    Only other thing special is I have about a dozen untangle sites that connect via OpenVPN. Non of which have those public IP addresses.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,536

    Default

    That alert will fire on any sessions logged, whether they go through Untangle or not, even if they get routed back out the external or just dropped/blocked.
    You can disable the rule if you don't want to see it.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2